date:20190408


On 4/9/19 12:58 PM, Ray Joseph wrote:

Thank you for your support.  I don't know what 'panel' I should see the 
nm-applet opening in.  I opened a terminal in sys-net and entered nm-applet and 
obtained a response that said it was not meant to run in terminal and to use 
NetworkManager in the desktop.  I don't see a way to open a desktop in sys-net.


If NM works you see it in the upper right corner, see attached image. Be
sure that all needed packages are in your sys-net: firmware, but also
the qubes-core-agent-networkmanager and qubes-core-agent-networking
that you simply install in the TEMPLATE used for sys-net with apt-get as
usual.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e2edccd-af6a-99d2-368d-6637cbbf8f6e%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't Start Network, V4

2019-04-08 Thread Ray Joseph

Thank you for your support.  I don't know what 'panel' I should see the 
nm-applet opening in.  I opened a terminal in sys-net and entered nm-applet and 
obtained a response that said it was not meant to run in terminal and to use 
NetworkManager in the desktop.  I don't see a way to open a desktop in sys-net.

BTW, my little Linux background is Debian and almost all of it was at the 
command line using /etc/network/interfaces.  My intent was to use Debian to run 
Xen.  But I was not able to find a way to get Debian/Xen to use wireless.  
Qubes doesn't have this problem, if I can just discover how.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/26fda5e2-0b72-4405-98cd-7b9c4ebdbd9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?

I have stated this many times before.

The PS/2 thing is from 2011 which is 8 years ago and applies to systems
without more than one USB controller.

Using PS/2 sends your keystrokes out on the ground wire.

It is far better to purchase a motherboard with a second USB controller
with separate IOMMU groups or a PCI-e supporting USB card with one
controller per port and an ACS PCI-e switch to tie them together, of
course all must have libre firmware and preferably made somewhere
trustworthy.

I would only trust hardware Made in USA or Switzerland since both are
the only places in the world right know where you can say no to a demand
to put a backdoor in your product and have nothing come of it. (Heres to
hoping for Xen/Qubes on OpenPOWER for usa made computing) Unfortunately
recent cases have proven the EU majority no longer has freedom of speech
(such as the man who went to jail for criticizing a certain foreign
leader in germany) and code is speech, hdls are speech and freedom of
speech means freedom to be silent (and thus not code a backdoor)

Ideally you would have 4 IOMMU separate usb controllers total.

USB controllers:
dom0/sys-usb-keyboard (you enter your passwords and then it gets
assigned to sys-usb-inputs later which is for your keyboard and mouse)
sys-usb-mouse (off at boot - since I know of no secure mice it should be
separate)
sys-usb-trusted-stuff (off at boot, assigned to sys-usb later) your
flash drives
sys-usb-untrusted-stuff (off at boot, assigned to sys-usb later) other
peoples flash drives

I use a PCL/PS network printer so I don't need a 5th for that.

In terms of USB devices you want stuff without re-writable firmware
which many keyboards have and AFAIK the only OEM that attests to its
products security and lack of re-writable firmware is Unicomp (and of
course the original Model M's can't be re-written either)

The most secure input device is the USB Unicomp Model M pointer which is
an made in usa mechanical keyboard with a laptop style mouse nub in the
middle of the keyboard and two mouse buttons - unicomp makes the rare
high quality keyboard that will never break and never need replacing due
to wear.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/46ede858-5cb6-57b6-ed48-2ce4bbd81211%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] just dreaming: mirage-tor ?


as you may have noticed by the mirage-firewall discussions, one
impressive point is the size of mirage -- 32M. That is not yet the 640K
I grew up with, but much more memory-friendly than the
standard-sys-firewall (which took 384M in my system). Another (to me:
inexplicably large) qube in my system is sys-whonix - it takes  almost
900M of memory! So I was day-dreaming if a mirage-tor is potentially
within reach ? Or is that
- too complex
- too hard to keep living, since tor itself evolves quickly

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/09fb9606-f229-1446-d239-854e05957dd5%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

On Tuesday, April 9, 2019 1:42 AM, 799  wrote:

> Thanks for the summary, this is what I was looking for. I am using 
> fedora-29-minimal for all my AppVM's, therefore I didn't thought that the 
> problem might be template related.
> I'll run the same steps you did tomorrow.

Yes I noticed after posting that you used fedora-29-minimal and tried to do the 
build in a minimal based AppVM and sure enough, got the same error as you. 
However I'm no fedora person, not much of a docker guy and a first timer with 
mirage, so I'll don't really want to go after this. Especially as the AppVM is 
only for the build and can be thrown away after that.

>
> As far as I have understand the VM is just for the building process and that 
> I can find the result a file called mirage-firewall.tar.bz2 in the _build 
> folder afterwards and that I need to transfer this folder to dom0 and unpack 
> it to /var/lib/qubes/vm-kernels 
> Then I can use the new kernel.

Exactly. (Or if you don't trust that the .tar.bz2 file won't try to exploit a 
bug in dom0 upon decompression, just transfer the 3 files in it separately. :) )

>
> Maybe a stupid question, but ...
> As the AppVM including docker is just needed to build the kernel, wouldn't it 
> be much easier if the mirage-firewall can be added via a sudo 
> qubes-dom0-update like any other package?
>
> Maybe only in the testing or a community repository?

Sure it would be, but the trust building is never easy.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/DP5IRaiXKghvivW5WP9EmDEo0xZLQ7JUst7pFuOMX9-lac66MyUKIz0eO8XG08GZlCVKXQZIXPQZl42if9LhxWs_76n-PG9YD-NJFRitmdU%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 799

Hello qmirfw,

'qmirfw' via qubes-users  schrieb am Di., 9.
Apr. 2019, 00:51:

> On Monday, April 8, 2019 11:40 PM, 799  wrote:
> > Any ideas what I am missing?
>
> I don't know. I just did a build using fedora (based on unmodified Qubes
> fedora-29 template) and got no error, final checksum checks out. This is
> what I did:
> (...)
>

Thanks for the summary, this is what I was looking for. I am using
fedora-29-minimal for all my AppVM's, therefore I didn't thought that the
problem might be template related.
I'll run the same steps you did tomorrow.

As far as I have understand the VM is just for the building process and
that I can find the result a file called mirage-firewall.tar.bz2 in the
_build folder afterwards and that I need to transfer this folder to dom0
and unpack it to /var/lib/qubes/vm-kernels
Then I can use the new kernel.

Maybe a stupid question, but ...
As the AppVM including docker is just needed to build the kernel, wouldn't
it be much easier if the mirage-firewall can be added via a sudo
qubes-dom0-update like any other package?

Maybe only in the testing or a community repository?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u-EACnBrTKuzy3zgMAjoTv5VM80_2kHMwHWPGteFB83Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes Canary #19

2019-04-08 Thread Andrew David Wong

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We have published Qubes Canary #19. The text of this canary is
reproduced below. This canary and its accompanying signatures will
always be available in the Qubes Security Pack (qubes-secpack).

View Qubes Canary #19 in the qubes-secpack:



Learn about the qubes-secpack, including how to obtain, verify, and read
it:



View all past canaries:



```


---===[ Qubes Canary #19 ]===---


Statements
- ---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is April  3, 2019.

2. There have been 48 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of July 2019. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
- --

None.

Disclaimers and notes
- --

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
- ---

$ date -R -u
Wed, 03 Apr 2019 15:10:59 +

$ feedstail -1 -n5 -f '{title}' -u 
https://www.spiegel.de/international/index.rss
A Precarious Alliance: Patience Wears Thin with Germany's NATO Spending
Interview with NATO Secretary General Stoltenberg: The U.S. and President Trump 
'Are 100 Percent Behind' Us
Interview with Sir David Attenborough: 'Collecting Memories Isn't the Same as 
Collecting Ammonites'
'I'm Just Being Me': British House Speaker Bercow on His Brexit Role
France's Golden Boy Learns How to Fight: Macron Debates His Way Out of The 
Yellow-Vest Crisis

$ feedstail -1 -n5 -f '{title}' -u 
https://rss.nytimes.com/services/xml/rss/nyt/World.xml
Theresa May and Jeremy Corbyn Consider Something New on Brexit: Cooperation
Egypt’s Soap Opera Clampdown Extends el-Sisi’s Iron Grip to TV
Najib Razak, Malaysian Leader Toppled in 1MDB Scandal, Faces First Graft Trial
Saudi Arabia Giving Jamal Khashoggi’s Children Money and Real Estate
Trudeau and Liberal Party Expel 2 Ex-Ministers at Center of Storm

$ feedstail -1 -n5 -f '{title}' -u https://feeds.bbci.co.uk/news/world/rss.xml
Brunei implements stoning to death under anti-LGBT laws
Charges dropped in deadly US biker brawl
Paris transgender woman 'humiliated' at protest
Jeffree Star says $2.5m worth of his cosmetic line stolen
1MDB: Superyacht linked to financial scandal sold for $126m

$ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews
Italy PM denies Tria could quit over 5-Star attacks
Brexit gamble: UK's May to meet opposition leader to seek a deal
EU would begin customs controls right after no-deal Brexit
Turkey says proposed working group to ease U.S. worries over Russian S-400s
Britain scrambles jets after Russian bombers approach UK airspace

$ curl -s 'https://blockchain.info/blocks/?format=json' |\
  python3 -c 'import sys, json; 
print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
0010e57bfbfcbb49bdae6212789c51447316c4652bd6fcf3

Footnotes
- --

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```

This announcement is also

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

On Monday, April 8, 2019 11:40 PM, 799  wrote:
> Any ideas what I am missing?

I don't know. I just did a build using fedora (based on unmodified Qubes 
fedora-29 template) and got no error, final checksum checks out. This is what I 
did:

# # # In dom0 root terminal:
qvm-create miragebuildfedora --class=AppVM --label=red --template=fedora-29
qvm-volume resize miragebuildfedora:private $((20*1024*1024*1024))
qvm-run miragebuildfedora gnome-terminal

# # # In miragebuildfedora user terminal:
sudo mkdir /home/user/var_lib_docker
sudo ln -s /home/user/var_lib_docker /var/lib/docker
sudo dnf install docker
sudo systemctl start docker
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
git pull origin pull/52/head
sudo ./build-with-docker.sh

# # # done.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4TISrE7nVHtrakLBM8mgeOKJcXzDy1RCtjU1kUt-h7luz8kn5ZKR7bIWLX0NqMw6ED8zAlcEkkjdJbix01BfV1m9d3YEK_P01kgIsHaP7BA%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes-mirage-firewall chaining

Hello,

I got the qubes-mirage-firewall working in a simple

sys-net --> sys-mirage-fw --> disp1234

situation, but when I wanted to include it in my normal chain, as in

sys-net --> sys-mirage-fw --> sys-firewall --> AppVMs

my AppVMs can't access the network.

Is this supposed to work?

In Xen console of the mirage firewall I can see the linux firewall connecting, 
but then lines like this:

WRN [client_net] Incorrect source IP 10.137.0.45 in IP packet from 10.137.0.12 
(dropping)

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/wU7E85JfEphRv9uzALkOC_0XdlMeifE88qfNwLtkiO0Z6rrkIiLKbIg6FngH_FQemkIj54Skfw7GQ4SAmEADEooN0La4euzxWD970PtxWA4%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5



On Monday, April 8, 2019 11:40 PM, 799  wrote:

> I tried to build mirage in a new template VM which is based on 
> fedora-29-minimal, but run into an error.

I don't understand why you want to do all that in a TemplateVM, and not an 
AppVM.

Also why fight with Fedora, if my simple Debian based build gives the same 
binary as the official (equal checksum).

(Quick note, if you insist: you don't have to symlink the docker dir to /home, 
simply increase :root instead of :private)

I'll try the docker build in a fedora appvm and see if I also get that error...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E8QLyxff8j1M60n152zZRX3Qh8VWr9N1riiKNVoCwtQe5XdZnY6uc93IOh4Up5g2uIX9SaPZxzmDM-SolCfWHRpJt09z2D2ZOR2IPyFP3JY%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5


@ 799,  I got these errors when using the repo-version of docker instead
of docker-ce directly (see my last 2-3 posts) here.

See https://docs.docker.com/install/linux/docker-ce/debian/
and https://docs.docker.com/install/linux/docker-ce/fedora/

for download instructions.

@Thomas Leonard: YES, I got through!! My error was my fault, some files
were owned by root and not user, the Lord knows why. Your line
 docker run --rm -it --entrypoint bash -v
$(pwd):/home/opam/qubes-mirage-firewall qubes-mirage-firewall
helped me out of that. THANK YOU for your patience.




On 4/9/19 7:40 AM, 799 wrote:

Hello,

I've created a howto page in the Qubes Community docs to collect all
information which is needed to build/install the mirage firewall for
qubes OS.
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md

I tried to build mirage in a new template VM which is based on
fedora-29-minimal, but run into an error.
Can you take a look and give me a hint what I am missing?

--- --- 8< --- --- --- ---

|MirageTemplateVM=|t-fedora-29-mirage
|# create a new template VM qvm-clone fedora-29-minimal
$|MirageTemplateVM| # Resize private disk to 10 GB qvm-volume extend
|$|MirageTemplateVM||:private 10GB # Create a symbolic link to safe
docker into the home directory qvm-run --auto --user root --pass-io
--no-gui |$|MirageTemplateVM ||\ 'ln -s /var/lib/docker
/home/user/docker' # Install docker and git qvm-run --user root
--pass-io --no-gui |$|MirageTemplateVM ||\ 'dnf -y install docker git' #
To get networking in the template VM qvm-run --auto --user root
--pass-io --no-gui |$|MirageTemplateVM ||\ 'dnf install
qubes-core-agent-networking' qvm-shutdown --wait |$|MirageTemplateVM||
qvm-prefs |$|MirageTemplateVM|| sys-firewall qvm-start
|$|MirageTemplateVM|| # Launch docker qvm-run --user root --pass-io
--no-gui |$|MirageTemplateVM ||\ 'systemctl start docker' # Download and
build mirage for qubes qvm-run --user root --pass-io --no-gui
|$|MirageTemplateVM ||\ 'cd /home/user && \ git clone
https://github.com/mirage/qubes-mirage-firewall.git && \' cd
qubes-mirage-firewall && \ ./build-with-docker.sh'
|
--- --- 8< --- --- --- ---

|Unfortunately I run into an error during the build process:

[...]
|Building Firewall... error while executing ocamlbuild -use-ocamlfind
-classic-display -tags bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs + mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied Command
exited with code 1. Failure: Error during command "mkdir
/home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10) ||

|
|

|Maybe because there is no folder /home/opam/... ??

|

|I have also integrated pull request 52 via:
||qvm-run --user root --pass-io --no-gui |$|MirageTemplateVM ||\ |   'git pull origin 
pull/52/head && \
rm -rf _build && \
sudo ./build-with-docker.sh'

And I have manually created the missing folder above via

|qvm-run --user root --pass-io --no-gui |$|MirageTemplateVM ||\ |   '||mkdir 
/home/opam/qubes-mirage-firewall/'

||

||Even then I still run into the same error.
||

||Any ideas what I am missing?
||

||- O||

--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to qubes-users+unsubscr...@googlegroups.com
.
To post to this group, send email to qubes-users@googlegroups.com
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9BpTd93vgjZ5NL7q%2BMaB49TDE%2BY2uRmJ50CgTuEws7Q%40mail.gmail.com
.
For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79032be9-688f-9e7c-b6ee-5c6ee4a3b7a4%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 799

Hello,

I've created a howto page in the Qubes Community docs to collect all
information which is needed to build/install the mirage firewall for qubes
OS.
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md

I tried to build mirage in a new template VM which is based on
fedora-29-minimal, but run into an error.
Can you take a look and give me a hint what I am missing?

--- --- 8< --- --- --- ---

MirageTemplateVM=t-fedora-29-mirage
# create a new template VM
qvm-clone fedora-29-minimal $MirageTemplateVM

# Resize private disk to 10 GB
qvm-volume extend $MirageTemplateVM:private 10GB

# Create a symbolic link to safe docker into the home directory
qvm-run --auto --user root --pass-io --no-gui $MirageTemplateVM \
  'ln -s /var/lib/docker /home/user/docker'

# Install docker and git
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'dnf -y install docker git'

# To get networking in the template VM
qvm-run --auto --user root --pass-io --no-gui $MirageTemplateVM \
  'dnf install qubes-core-agent-networking'
qvm-shutdown --wait $MirageTemplateVM
qvm-prefs $MirageTemplateVM sys-firewall
qvm-start $MirageTemplateVM

# Launch docker
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'systemctl start docker'

# Download and build mirage for qubes
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'cd /home/user && \
   git clone https://github.com/mirage/qubes-mirage-firewall.git && \'
   cd qubes-mirage-firewall && \
   ./build-with-docker.sh'

--- --- 8< --- --- --- ---

Unfortunately I run into an error during the build process:

[...]
Building Firewall...
error while executing ocamlbuild -use-ocamlfind -classic-display -tags
bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs
+ mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied
Command exited with code 1.
Failure:
  Error during command "mkdir
/home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10)


Maybe because there is no folder /home/opam/... ??

I have also integrated pull request 52 via:
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \  'git pull
origin pull/52/head && \
   rm -rf _build && \
   sudo ./build-with-docker.sh'

And I have manually created the missing folder above via

qvm-run --user root --pass-io --no-gui $MirageTemplateVM \  'mkdir
/home/opam/qubes-mirage-firewall/'

Even then I still run into the same error.

Any ideas what I am missing?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9BpTd93vgjZ5NL7q%2BMaB49TDE%2BY2uRmJ50CgTuEws7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How risky is GPU pass-through?

2019-04-08 Thread John Mitchell

On Monday, April 8, 2019 at 8:32:09 PM UTC+2, tai...@gmx.com wrote:
> On 02/25/2019 04:02 PM, John Mitchell wrote:
> > If I may ask what OS do you use for the host?
> >
> 
> Devuan, it is debian without systemd.
> 
> I compile most of the related packages though like libvirtd, qemu etc
> cause the ones from the distro are way too outdated to support what I need.
> 
> You should get a new non-gmail email btw.

Thank you for the reply.

I know Google (facebook, etc.) owns me.  :(  And most of the rest of us.

Anyway I moved on to Xubuntu.  It provides enough security for my needs and the 
GPU pass through is working.  Also there is a patch coming for QEMU that should 
bump the performance so I am satisfied with my setup.  I'll continue to keep an 
eye on qubes hoping one day the PCI pass through catches up.  I realize Qubes 
is way ahead on the security side though.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0ceedb06-1524-4f59-808f-314c88dd1e76%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Corebooted G505s Suspend/Resume Fails

2019-04-08 Thread 'awokd' via qubes-users


qubes123 wrote on 4/8/19 6:08 PM:

...distribution kernels (fedora, debian) with xen 4.11.1 still have issues with 
suspend & g505s...

Understood, thank you! That will save a lot of testing time. I'm still 
getting my build environment stood up, but will update once I can 
confirm the workaround.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6931e039-5d57-5e00-1fed-17101c4b392b%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Realtek wifi adapter rtl8821ce

2019-04-08 Thread Adam Robinson

Hello Jayen,

I have realtek wifi adapter in my lenovo laptop ideapad 330 15arr model. It
> is not recognised by sys-net VM.


I have a similar laptop to you (Ideapad 330S-15ARR).

I was not able to compile the kernel module when using the Qubes provided
virtual machine kernel.  I switched sys-net to use the stock Fedora 29
kernel and I was able to install the driver successfully.  Aside from that,
the only other thing I had to do was manually run the command to upgrade
grub when there is a kernel update in the template VM and I want to boot
from it.

Thanks,
-Adam

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANh5szqy2SmuWeSQ3dKO9YXWcfpDxKeDssS6Frzo1yiZ07hnPA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How risky is GPU pass-through?

On 02/25/2019 04:02 PM, John Mitchell wrote:
> If I may ask what OS do you use for the host?
>

Devuan, it is debian without systemd.

I compile most of the related packages though like libvirtd, qemu etc
cause the ones from the distro are way too outdated to support what I need.

You should get a new non-gmail email btw.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/13c47fa1-fc93-a745-238e-e9e509607625%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Responding to the Whonix trolls...

On 03/01/2019 09:21 PM, unman wrote:
> On Fri, Mar 01, 2019 at 07:27:08PM +, Achim Patzner wrote:
>> On 28.02.2019 15:10:21, "unman"  wrote:
>>
>>
>>> On Thu, Feb 28, 2019 at 11:03:12AM +0100, Achim Patzner wrote:
  On 20190227 at 22:30 -0800 cooloutac wrote:

  Whenever I accidentally read a posting by raahelps@ I'm wondering what
  crime we committed to have to bear something like this and what could
  be done to avoid attracting people like that...

  Do us all a favour and go troll somewhere else
>>> I don't think this is helpful
>>
>> I guess I'm of a different opinion in that case. Sometimes someone has to
>> speak up and draw a line in the sand.
>
> All you are doing is perpetuating the problem.
>
>>
>>> Please consider the guidelines and be respectful and polite to others.
>>
>> Unlike others I strongly believe that respect has to be earned and it can be
>> retracted. The user in question spent nearly all his time on this mailing
>> list. And _none_ of his postings ever enriched any discussion.
>
> I don't agree. I have my own problems with that user, but he has in the
> past provided help on the list, and will do in the future.

His "help" is always terrible and potentially dangerous for people who
security is a life and death matter such as journalist in a third world
country and when someone provides constructive criticism he freaks out
and sends them 5 replies.

I hate elitist places that are almost dead because they wish to exclude
people but you gotta have standards.

On 03/03/2019 04:01 AM, cooloutac wrote:
> It's not very different than fascism, in particular the Gestapo,
Yay godwins law.

If it really was like that you'd be on the train to siberia by now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ac36fbf0-89d8-bd4c-1451-4555105dfc80%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Could Qubes Installation Configuration Be More User Friendly?

On 03/05/2019 03:22 PM, cooloutac wrote:
> I agree with Chris its more a compatibility issue then an installation issue.
>
> You really have to research the machine on linux before using it in Qubes.  
> And have to make sure the bios has the nescessary options before purchase,  
> which is one of the things Qubes docs suggest doing.

This won't do anything since there are many BIOS that provide an "IOMMU"
option that doesn't work for various reasons, I myself have some of
these boards.

The best choice is to purchase something that has open source firmware
and that is owner controlled so that any issues can be fixed.

>
> And disable security features to make a system compatible might defeat the 
> purpose of using Qubes.
>
> What model laptop do you have that you can't disable the nvidia gpu?  You 
> sure it has an onboard one to use in its place?

Many do not provide this options especially the ones per-offically
supported dual GPU like optimus and the AMD equivilant.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d6ccee4-484e-edf9-652d-9af553b7ab97%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] coreboot on modern hardware?

System seventysuck, pur.idiots etc are LYING about having "open source
firmware"

System seventysuck also lies about having "made in usa" hardware
literally all they did was make a metal case here and somehow a metal
box equals a computer in their world.

Their "coreboot" is nothing more than a wrapper layer for Intel FSP
binary blobs, it doesn't init any hardware and just like their "made in
usa" claims is entirely bullshit.

New AMD hardware has PSP which is their version of ME and just as terrible.

New x86 hardware will NEVER be free since intel/amd not only refuse to
provide documentation and sources but also lock down their systems more
and more with ME, boot "guard", "secure" boot etc.

If you want owner controlled open source firmware hardware buy an
OpenPOWER system from RaptorCS like the Blackbird or TALOS 2 both of
which provide better performance and features than enterprise x86
systems you would get for the same price.

Someday there will even be AAA games on POWER just like people said that
there would never be DRM free AAA linux games and now there are many, as
of now there are a few meh open source 3D games and the unreal tech demo
but gaming is the only thing you sacrifice and you can always have an
older pre-PSP AMD owner controlled system for that like I do.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/5505a2ee-23e2-43cd-9e0c-2b88a16f11f1%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Corebooted G505s Suspend/Resume Fails

2019-04-08 Thread qubes123

...distribution kernels (fedora, debian) with xen 4.11.1 still have issues with 
suspend & g505s...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18d33afc-315f-4865-9b70-afdcb9b5e311%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Dell Inspiron 14 3480 no boot to installer

2019-04-08 Thread Ralph O. Schaumann

Hi,
I bought a brand new Inspiron 3480 just for Qubes. It has the most recent
bios/firmware and an i5-8265 cpu/platform. When trying to boot the
installer from USB the screen just blinks up once with 6 lines of text and
then goes black and nothing happens.
I have tried other USB Sticks but the same happens.
I use UEFI mode.
Thanks for your help

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJbN%3D8KRZ2yBpPy4kzKLZwokzYhcr2Z7V2m_LWrWk1qKT4a9pw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] downsizeing root / private max storage

2019-04-08 Thread Chris Laprise

On 4/8/19 11:24 AM, unman wrote:

On Mon, Apr 08, 2019 at 10:30:23PM +1000, haaber wrote:

Dear qubes-users,
is there a comprehensive way how to down-size a (template) VM ? Let us
assume, that a df shows the template uses 9.2G as root volume. Assume
further that for some reason I had temporarily increased the root vol to
15 or 20G. But, say 11G (even 10G) should suffice, right? So how to
downsize a template carefully? Cheers,

Given that templates are also provisioned as thin-pools, why do you want to do
this?
I mean, why bother?

Yes. My advice is to remove what you don't need, then do an 'fstrim -a'.
The volume's virtual size will of course stay the same, but the
allocated size will reduce to only what is used by the template.

Controlling the virtual size of private volumes is more of an issue,
IMO, because they see a lot more varied use than root volumes and
space-hungry apps in many vms can result in a surprising amount of disk
usage. You can keep on top of this by viewing disk usage in Qube
Manager, and investigate a vm using an allocation grapher like filelight
or baobab.

OTOH, if you really need to reduce a volume's virtual size then its
possible by attaching a volume to a non-networked dispvm, running
'resize2fs' in the dispvm, then using 'qvm-volume resize --force
vm:volume size' in dom0.

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/440efe34-0791-9cca-8443-627f612a57e7%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 799

Hello,

'qmirfw' via qubes-users schrieb am Mo., 8.
Apr. 2019, 16:08:

> (...)
> This is what I do:

(...)
>

Unfortunately I don't understand all steps, for example what ...
# Fix the reproducible build
git pull origin pull/52/head
... means.

As the firewall is very (!) important to keep Qubes OS/more specific the
AppVM separation safe, I will only use it, if there is a clear procedure
what needs to be done.

Will it only work with Debian 10 (which doesn't seem to be consider stable,
AFAIK it's not in the Qubes 4 productive repositories yet)?

I would like to see an document which takes the user from a default Qubes 4
installation and ends in working mirage firewall.

Can we build it from a fedora-29 based template?

Also it would be great if we put up the howto on the Qubes Community Docs
so that we can improve it there for future use(ers).
As mentioned I would be happy contributing to the documentation but a
better starting point would be great.

I think a good howto would also include that all steps can be done from
dom0 (via qvm-run) to make scriptable for future and simpler usage.

- O

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u%3DQTQxjKoWZXH7a58JrD4GMdqTEKjUXuAuK6y-7WYguQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] downsizeing root / private max storage

2019-04-08 Thread unman

On Mon, Apr 08, 2019 at 10:30:23PM +1000, haaber wrote:
> Dear qubes-users,
> is there a comprehensive way how to down-size a (template) VM ? Let us
> assume, that a  df shows the template uses 9.2G as root volume. Assume
> further that for some reason I had temporarily increased the root vol to
> 15 or 20G. But, say 11G (even 10G) should suffice, right?  So how to
> downsize a template carefully?  Cheers,

Given that templates are also provisioned as thin-pools, why do you want to do 
this?
I mean, why bother?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190408152453.jlebg74dkj3s5g32%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

‐‐‐ Original Message ‐‐‐
On Monday, April 8, 2019 2:29 PM, haaber  wrote:

> > Addition: but even after successful compilation, the hash still didn't 
> > match for me, probably because of what Thomas Leonard already mentioned ( 
> > https://github.com/mirage/qubes-mirage-firewall/pull/52 ). Can we get a 
> > 0.5.1 release? I'd contribute with a more step-by-step build instructions 
> > doc for Qubes + Debian (no need for Fedora).
>
> Q1: So you got through without the stange " mkdir: cannot create
> directory '/home/opam/qubes-mirage-firewall/_build': Permission denied"
> error at the final build that blocks me ?
>
> Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
> folder without fiddling files by hand?
>


I don't get that mkdir error. After integrating pull/52, the hash matches.

This is what I do:

# # # In dom0 root terminal:

# We can't use a DisposableVM, as their disk size can't be increased while 
running, so let's create a normal AppVM
qvm-create miragebuild --class=AppVM --label=red 
--template=some_debian-10_template
# Give it some space
qvm-volume resize miragebuild:private $((20*1024*1024*1024))
# Run it
qvm-run miragebuild gnome-terminal

# # # In miragebuild VM user terminal:

# The whole docker thing won't fit in /var/lib, but will fit in /home
sudo mkdir /home/user/var_lib_docker
sudo ln -s /home/user/var_lib_docker /var/lib/docker
sudo apt update
sudo apt install docker.io
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
# Fix the reproducible build
git pull origin pull/52/head
# By default docker under Qubes can't get out to the network, so we use 
--network=host, this is a single use VM anyway
sed s/'docker build -t qubes-mirage-firewall .'/'docker build --network=host -t 
qubes-mirage-firewall .'/ build-with-docker.sh >build-with-docker_networkfix.sh
# Let's build
sudo sh ./build-with-docker_networkfix.sh

# done.

After this the hash matches 
(ce9a16b6f5ce0123f289b3586492f9f4b921f6e788f8e333784545807bb1b0f2)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/J5Ngs1ihBgPo5ils86HtcjLrBUX6Fwss5ISUsWzByN_Fi1XxgbTz-2-sWBgxrkT_SH5WSfjWRluxiS8X7uPg-x155LMbMYQH574yMzD56AU%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

On Monday, April 8, 2019 at 1:29:53 PM UTC+1, haaber wrote:
[...]
> Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
> folder without fiddling files by hand?

To test that PR:

git pull origin pull/52/head
rm -rf _build
sudo ./build-with-docker.sh

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27409062-9dee-4f3d-b2a1-08740903bf2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

On Monday, April 8, 2019 at 12:29:30 PM UTC+1, haaber wrote:
> here is some build-news. next hint: give your template a lot of *disk
> space*. My last error was due to that, but of course it did not tell me
> "disc full" but some random other message. So now I am getting closer:
> sudo ./build-with-docker.sh
> 
> 
> Step 9/9:
> Successfully tagged qubes-mirage-firewall:latest
> Building Firewall...
> error while executing ocamlbuild -use-ocamlfind -classic-display -tags
>  bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
>  -pkgs mirage config.cmxs
> + mkdir /home/opam/qubes-mirage-firewall/_build
> mkdir: cannot create directory
> '/home/opam/qubes-mirage-firewall/_build': Permission denied
> Command exited with code 1.
> Failure:
>Error during command "mkdir /home/opam/qubes-mirage-firewall/_build":
> Ocamlbuild_pack.My_std.Exit_with_code(10).
> 
> --
> 
> so we are back with the question of /home/opam instead of /home/user ...
> 
> Is docker trying to write to the "real" /home  or at some sort of
> chroot'ed  /home  inside docker ???   Aaaargh!

`_build` is your _build directory, which is mounted into the chroot by the -v 
option. You can go into the environment yourself and try making it manually to 
find out what the problem is:

$ docker run --rm -it --entrypoint bash -v 
$(pwd):/home/opam/qubes-mirage-firewall qubes-mirage-firewall
opam@aaa050f3779c:~/qubes-mirage-firewall$ mkdir _build

The Docker build user has UID 1000, which should be the same as the default 
qubes user (use "id" inside and outside of the build environment to see).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/35cebfb0-6351-4b7d-a754-2774717baf95%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Addition: but even after successful compilation, the hash still didn't match
for me, probably because of what Thomas Leonard already mentioned (
https://github.com/mirage/qubes-mirage-firewall/pull/52 ). Can we get a 0.5.1
release? I'd contribute with a more step-by-step build instructions doc for
Qubes + Debian (no need for Fedora).

Q1: So you got through without the stange " mkdir: cannot create
directory '/home/opam/qubes-mirage-firewall/_build': Permission denied"
error at the final build that blocks me ?

Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
folder without fiddling files by hand?

Cheers, Bernhard

‐‐‐ Original Message ‐‐‐
On Monday, April 8, 2019 2:02 PM, 'qmirfw' via qubes-users
wrote:

The docker container can't access the network. To solve change
docker build -t qubes-mirage-firewall .
to
docker build --network=host -t qubes-mirage-firewall .
in build-with-docker.sh .

This way the container shares the host network, which would be an antipattern,
but we are using throw away VMs anyway.

---

You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/0GONvMBO8vB8TDLM1Q23wBp_xR43tsL-T5-FCkrE2tMxtNJ6CLFs5VMi4CvgbeQ48wh4onn-8YmygB_jPPqTPuDylV4oDr1TBatgvCoPtbw%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2fbd61a6-b14e-eb37-e946-1fe774ab3641%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Addition: but even after successful compilation, the hash still didn't match 
for me, probably because of what Thomas Leonard already mentioned ( 
https://github.com/mirage/qubes-mirage-firewall/pull/52 ). Can we get a 0.5.1 
release? I'd contribute with a more step-by-step build instructions doc for 
Qubes + Debian (no need for Fedora).


‐‐‐ Original Message ‐‐‐
On Monday, April 8, 2019 2:02 PM, 'qmirfw' via qubes-users 
 wrote:

> The docker container can't access the network. To solve change
> docker build -t qubes-mirage-firewall .
> to
> docker build --network=host -t qubes-mirage-firewall .
> in build-with-docker.sh .
>
> This way the container shares the host network, which would be an 
> antipattern, but we are using throw away VMs anyway.
>
> ---
>
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/0GONvMBO8vB8TDLM1Q23wBp_xR43tsL-T5-FCkrE2tMxtNJ6CLFs5VMi4CvgbeQ48wh4onn-8YmygB_jPPqTPuDylV4oDr1TBatgvCoPtbw%3D%40protonmail.com.
> For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/VzJOSk0s9h5xwih4QV6W0VkV-yxRYjGmG3YHpGn51IFPY77pLAY0GEQZKfTueBomXaq4vMAK7bvgdDhrmJwsw88dSoAbms8FAVPpPZiwTJY%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5


here is some build-news. next hint: give your template a lot of *disk
space*. My last error was due to that, but of course it did not tell me
"disc full" but some random other message. So now I am getting closer:
sudo ./build-with-docker.sh


Step 9/9:
Successfully tagged qubes-mirage-firewall:latest
Building Firewall...
error while executing ocamlbuild -use-ocamlfind -classic-display -tags
bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs
+ mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied
Command exited with code 1.
Failure:
  Error during command "mkdir /home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10).

--

so we are back with the question of /home/opam instead of /home/user ...

Is docker trying to write to the "real" /home  or at some sort of
chroot'ed  /home  inside docker ???   Aaaargh!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9068b85f-d93d-9be7-5839-834efa2ffc29%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5




> I believe that the Qubes sys-firewall by default prevents template
VMs > from connecting to anything except their package repositories.
It's OK > to install Docker in a template VM if you want, but everything
else
> should be done in an AppVM.

no, I use a StandAlone debian buster with net acces via sys-firewall.



> I've added more details at
https://github.com/mirage/qubes-mirage-firewall/pull/51/files
>
> I tested this with Debian 9, but I assume it would work the same on
> Debian 10.
>
> By the way, while testing it I found one case where the hash can
> change even with Docker, and proposed a fix for that at
> https://github.com/mirage/qubes-mirage-firewall/pull/52


So here is some progress. Do not use debian repo's for docker (at least
not if your debian is <= buster). They are still too old. Rather install
from docker itself, like explained here

https://docs.docker.com/install/linux/docker-ce/debian/

hint: download the pgp key via tor with a reasonable time-delay to
reduce a bit the risk of getting served tampered keys. Since you
probably cannot verify it further, that is all one can do.

The newest docker  allows to pass my previous problem (git error
message). But of course building wouldn't be fun if it just went
through, right? So, now it stops here:


<><> jbuilder.transition installed successfully
<><><><><><><><><><><><><><><><>
=> Jbuilder has been renamed and the jbuilder package is now a
transition package. Use the dune package instead.
# Run eval $(opam env) to update the current shell environment

The former state can be restored with:
opam switch import
"/home/opam/.opam/4.07/.opam-switch/backup/state-20190408104449.export"
The command '/bin/sh -c opam install -y vchan xen-gnt mirage-xen-ocaml
mirage-xen-minios io-page mirage-xen mirage mirage-nat mirage-qubes'
returned a non-zero code: 31

--


Of course, I have even less clues what that is about. Let's see.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d8f3ebf-3262-ddd3-a5f1-92d8ddd3958c%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

On Monday, April 8, 2019 at 2:20:28 AM UTC+1, haaber wrote:
> > On Sunday, April 7, 2019 at 6:06:13 AM UTC+1, haaber wrote:
> >> Hey Thomas,
> >>
> >> I are right, it that was definitely better to put the FAQ on the site
> >> (and this list). I did set up a standalone debian-10 to build, and the
> >> process went through smoothly. Thank you. The 'but' comes now: BUT, in
> >> the end the checksum fails!
> >
> > Did you use Docker to build it in your standalone qube? It should match if 
> > so. If not, it's unlikely to match because you're probably building against 
> > different library versions.
> 
> OK that is a convincing argument for docker. So: I did it, actually
> three times, more and more frustrated. First in my "failed" template,
> then after having wiped old build remainders, then, to be sure, in a
> brand new debian-10. I did (and only did(!), since it was a brand new
> template)
> 
> sudo apt-get install docker docker.io
> git clone https://github.com/mirage/qubes-mirage-firewall.git
> cd qubes-mirage-firewall
> su
> bash -x ./build-with-docker.sh
> 
> 
> This fails, reproducibly over two days and several templates. Here is
> the output (sorry, a few lines)
[...]
> fatal: Unable to look up github.com (port 9418) (Temporary failure in
> name resolution)

I believe that the Qubes sys-firewall by default prevents template VMs from 
connecting to anything except their package repositories. It's OK to install 
Docker in a template VM if you want, but everything else should be done in an 
AppVM.

I've added more details at 
https://github.com/mirage/qubes-mirage-firewall/pull/51/files

I tested this with Debian 9, but I assume it would work the same on Debian 10.

By the way, while testing it I found one case where the hash can change even 
with Docker, and proposed a fix for that at 
https://github.com/mirage/qubes-mirage-firewall/pull/52

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7d1494e-aea5-4ba1-883c-6fc805f71af0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes-mirage-firewall 0.5