[qubes-users] Whonix: configure Torbrowser for use in DispVM

[Sven Semmler]

I used to make some minor preference changes in torbrowser in the dvm
template ... but that no longer works. 

template:  tpl-who-15-ws
dvm-template:  dvm-anon based on tpl-who-15-ws

dom0# qvm-run -a dvm-anon xfce4-terminal
dvm-anon# torbrowser

... here I make my changes:

- remove all search engines except DuckDuckGoOnion
- set security to 'safest'

These changes survive in dvm-anon, but if I start a dispvm based on
dvm-anon the slider is on standard and all the search engines are
present.

I think torbrowser is a whonix-specific script that somehow detects that
it's running in a dispvm and then nukes the profile and replaces it with
a default. Is that true?

In that case, I would like to copy my profile from dvm-anon into the
actual template to the path from where the script copies. I get that
doing other changes to the preferences might harm. I want only the
default search engine to change and the security to be 'safest' (no
scripts at all)

What's the best way to do this?

/Sven

-- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200318034017.GA1104%40app-email-private.


signature.asc
Description: PGP signature

Re: [qubes-users] Full networking between VMs

[unman]

On Tue, Mar 17, 2020 at 12:13:57PM -0700, arthur.summ...@gmail.com wrote:
> 
> 
> The command you listed:
> iifname "vif*" oifname "vif*" accept 
> 
> Is that a proper iptables rule, or are there placeholders in there that I 
> need to change specific to my system? Since iptables syntax is rather 
> unclear to me, I want to be sure before I go running things in my 
> sys-firewall. Shouldn't it be something like this?
> sudo iptables -A FORWARD -i "vif*" -o "vif*" -j ACCEPT
> 
> Then, in each one of my client qubes, I would run something like this:
> sudo iptables -I INPUT -i "vif*" -j ACCEPT
> 

Sorry Arthur, that's nftables syntax.
For iptables, you would want:
`sudo iptables -I FORWARD -i "vif*" -o "vif*" -j ACCEPT`
because you want that rule to PRECEDE the existing one that blocks
traffic.

For nftables I would rewrite the FORWARD chain and atomically rewrite it at
sys-firewall startup.
You can do this by using the scripts in /rw/config.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200318022523.GA6639%40thirdeyesecurity.org.

Re: [qubes-users] Full networking between VMs

[arthur . summers]

On Tuesday, March 17, 2020 at 10:57:39 AM UTC-5, unman wrote:
>
> On Tue, Mar 17, 2020 at 08:03:51AM -0700, arthur...@gmail.com 
>  wrote: 
> > Qubes is the only well-maintained type-1 client hypervisor that exists 
> as 
> > far as I know. I tried XenClient earlier in the decade, and it was an 
> > awesome product in my opinion. However, it ceased development. 
> > 
> > I think my use-case could be accomplished via iptables rules, but as I 
> > mentioned, I've never been very good with those rules and don't use it 
> > enough to have become proficient. This page is a good starting point and 
> > specifically mentions my use-case: 
> > 
> https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes 
> > 
> > However, rules have to be added to sys-firewall *and* each VM on a 
> per-IP 
> > basis. I would think there is a way to add a rule to sys-firewall that 
> > would open networking between all VMs by using CIDR blocks. Yes? No? 
> > 
> > For those still concerned with security, it would always be possible to 
> > have two sys-firewall VMs: one to provide the default isolation and one 
> to 
> > allow networking between systems. That would be a great setup, but I 
> just 
> > don't know how to do it. 
> > 
> > On Monday, March 16, 2020 at 11:31:17 PM UTC-5, Sven Semmler wrote: 
> > > 
> > > On Mon, Mar 16, 2020 at 09:16:40PM -0700, arthur...@gmail.com 
> > >  wrote: 
> > > > Interesting. It seems a little dated, though. Have you ever used it? 
> > > > 
> > > > On Monday, March 16, 2020 at 11:10:22 PM UTC-5, Sven Semmler wrote: 
> > > > > This looks like what you want: 
> > > > > https://github.com/Rudd-O/qubes-network-server 
> > > > > (last updated in Nov 2018) 
> > > 
> > > Nope. I don't have your use case. I wonder if plain vanilla 
> hypervisors 
> > > wouldn't be a better fit for you. 
> > > 
> > > /Sven 
> > > 
>
> The convention here is not to top-post. 
> Please scroll to the bottom of the message before you start typing. Or 
> reply inline. 
> It only takes you seconds, makes it much easier to follow threads, and 
> cumulatively saves your fellow users hours. 
>
> In *full* knowledge of what you are doing you probably only need to add 1 
> rule at the sys-firewall level in the FORWARD chain: 
> iifname "vif*" oifname "vif*" accept 
> You will still need to add incoming allow rules in INPUT chain per qube, 
> depending on 
> what service they offer. Not a huge issue. 
>
> The idea of having multiple sys firewalls is easy to implement, depending 
> on how you want it to work. Give some more detail on exactly what you 
> want. (Clearly stating the aim is the first step toward solution.) 
>

Sorry for the top-post. I always forget that about Google Groups.

The command you listed:
iifname "vif*" oifname "vif*" accept 

Is that a proper iptables rule, or are there placeholders in there that I 
need to change specific to my system? Since iptables syntax is rather 
unclear to me, I want to be sure before I go running things in my 
sys-firewall. Shouldn't it be something like this?
sudo iptables -A FORWARD -i "vif*" -o "vif*" -j ACCEPT

Then, in each one of my client qubes, I would run something like this:
sudo iptables -I INPUT -i "vif*" -j ACCEPT

If you could help me get the syntax right, that would be *super* helpful! 
Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e8c6742e-5e13-451b-8f16-f5827aa1cc6b%40googlegroups.com.

[qubes-users] Unsure How and If I Can Install Qubes

[Matteo Chicarella]

Hi, I'm new to this so bear with me whilst I get a grasp on things
I have a Dell Inspiron 5570 running Windows 10 Home on a 64-bit OS. It's
2TB HDD is fully encrypted with VeraCrypt
I'm looking to buy a 1TB HDD from Amazon to run Qubes on. Would it be
possible to fully encrypt the hard drive and have Qubes on that so I can
plug in in to run on my laptop; is there any issue with my hardware and
does it matter what HDD I buy?
Also, is there any reason that what I want to do is less secure than any
other method - either because of hardware or how I want to do it?

Thanks, all help is appreciated

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/VI1PR07MB5647EE8B4F0DAC4D119E9A9293F60%40VI1PR07MB5647.eurprd07.prod.outlook.com.

Re: [qubes-users] Re: How to get Ubuntu 18.04 running in a HVM with a GUI desktop in Qubes OS 4.0.3 ?

['M' via qubes-users]

tirsdag den 17. marts 2020 kl. 18.51.56 UTC+1 skrev Sven Semmler:
>
> On Tue, Mar 17, 2020 at 10:36:24AM -0700, 'M' via qubes-users wrote: 
> > Can the need to install the specific qubes agent programs in the HVM be 
> the 
> > reason why I haven't been able to surf the web from inside a Debian HVM 
> ? - 
> > you may see my other thread about this. 
>
> Nope. For that you only have to check the assigned IP, subnet and 
> gateway in the Qube Manager UI for that particular qube and then apply 
> those settings inside the HVM. 
>
> See also "Setting up networking for HVMs" on this page: 
> https://www.qubes-os.org/doc/standalone-and-hvm/ 
>
> > When it is possible to only make shortcuts in the Qube Menu for the 
> > programs that I would like to use, can I then delete the template again 
> and 
> > just install the music programs I would like to use in the preinstalled 
> > Debian template... ? 
>
> I'm not entirely sure I understand your question correctly. 
>
> -> Using the Qube Manager you can select which applications that are 
> installed in any particular template will show in the Qube Menu. 
>
> -> If all this effort was only about a particular program then yes: you 
> should have stated your need / intent more clearly at the beginning. You 
> can simply install that program in whatever template you use (debian, 
> fedora ... whatever) 
>
> > 1)  Shall I just delete the Ubuntu template Qube again by open the Qube 
> > Manager and click on delete qube, or do I have to delete other things ? 
>
> You installed it via RPM so the clean way is to uninstall it via 'sudo 
> dnf erase name_of_the_package' in dom0 
>
> > 2)  Can I just delete the Template file from dom0 by using the file 
> > manager, or do I have to delete or edit other files and if so which ? 
>
> That would result in issues down the road if you'd ever want to install 
> this template again (basically you would leave the system in a state 
> where it thinks the template is already installed). Don't do that. 
>
> > 3)  How can I install a specific program in the preinstalled Debian 10 
> > template - for example this program: https://flavio.tordini.org/musique 
> ? 
>
> Follow these instruction inside the template: 
> https://askubuntu.com/questions/40779/how-do-i-install-a-deb-file-via-the-command-line#40781
>  
>
> /Sven 
>
> -- 
>  public key: https://www.svensemmler.org/0x8F541FB6.asc 
> fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 
>
>

Thank, you very much !

I prefer a GUI-approach, but if that can't be done, I'll try the terminal 
as a secondary/last approach.

I'll look into it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/200ec2b6-c4cb-4153-9078-795e4b01d259%40googlegroups.com.

Re: [qubes-users] Re: How to get Ubuntu 18.04 running in a HVM with a GUI desktop in Qubes OS 4.0.3 ?

[Sven Semmler]

On Tue, Mar 17, 2020 at 10:36:24AM -0700, 'M' via qubes-users wrote:
> Can the need to install the specific qubes agent programs in the HVM be the 
> reason why I haven't been able to surf the web from inside a Debian HVM ? - 
> you may see my other thread about this.

Nope. For that you only have to check the assigned IP, subnet and
gateway in the Qube Manager UI for that particular qube and then apply
those settings inside the HVM. 

See also "Setting up networking for HVMs" on this page: 
https://www.qubes-os.org/doc/standalone-and-hvm/

> When it is possible to only make shortcuts in the Qube Menu for the 
> programs that I would like to use, can I then delete the template again and 
> just install the music programs I would like to use in the preinstalled 
> Debian template... ?

I'm not entirely sure I understand your question correctly.

-> Using the Qube Manager you can select which applications that are
installed in any particular template will show in the Qube Menu.

-> If all this effort was only about a particular program then yes: you
should have stated your need / intent more clearly at the beginning. You
can simply install that program in whatever template you use (debian,
fedora ... whatever)

> 1)  Shall I just delete the Ubuntu template Qube again by open the Qube 
> Manager and click on delete qube, or do I have to delete other things ?

You installed it via RPM so the clean way is to uninstall it via 'sudo
dnf erase name_of_the_package' in dom0

> 2)  Can I just delete the Template file from dom0 by using the file 
> manager, or do I have to delete or edit other files and if so which ?

That would result in issues down the road if you'd ever want to install
this template again (basically you would leave the system in a state
where it thinks the template is already installed). Don't do that.

> 3)  How can I install a specific program in the preinstalled Debian 10 
> template - for example this program: https://flavio.tordini.org/musique ?

Follow these instruction inside the template: 
https://askubuntu.com/questions/40779/how-do-i-install-a-deb-file-via-the-command-line#40781

/Sven

-- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200317175144.GB1145%40app-email-private.


signature.asc
Description: PGP signature

Re: [qubes-users] Installing templates.

['M' via qubes-users]

tirsdag den 17. marts 2020 kl. 16.27.47 UTC+1 skrev unman:
>
> On Tue, Mar 17, 2020 at 03:39:36AM -0700, 'M' via qubes-users wrote: 
> >   
> > Unman I have tried to download and install the following file as I 
> expected 
> > the file to create a GUI Ubuntu desktop: 
> > 
> https://qubes.3isec.org/Templates_4.0/qubes-template-bionic-desktop-4.0.1-202001121248.noarch.rpm
>  
> > 
>
> Your expectation was misplaced. It is a template that provides the 
> desktop flavor, and thus includes normal desktop tools. (Like choosing 
> this during course of install.) 
>
> > I got a template shortcut in the qube-menu, but I can't see any GUI 
> Ubuntu 
> > desktop. 
>
> Install Ubuntu and run it as a standalone HVM, although I dont 
> understand why you would want to do this. 
>
> > 
> > Shall I do some more to be able to get a window with the GUI Ubuntu 
> > desktop, and if so what ? 
>
> Install Ubuntu and run it as a standalone HVM, although I dont 
> understand why you would want to do this. 
>
> > 
> > You may also see or answer my thread here about it: 
> > https://groups.google.com/forum/#!topic/qubes-users/9tjB9vTbArc 
> > 
>
> As I've said before it's not helpful running across multiple threads. I 
> mean helpful to other people - I have no idea if you find it helpful. I 
> suspect not. 
> You need to step back, think about what you are trying to do, and doing, 
> and then clearly state any problem you have.
>


You're right.

My question in my other thread was about how to install Ubuntu 18.14 in a 
HVM with a GUI desktop.

Then I was told to try to install a Ubuntu template, which lead me here.

So that's the reason why I made a post in this thread.

In case you know how to get Ubuntu 18.14 running in a HVM with a GUI 
desktop, I would appreciate if you would answer my other thread about this 
issue - link: 
https://groups.google.com/forum/#!topic/qubes-users/9tjB9vTbArc

And if you know how to get on the internet from inside a Debian 10.3 HVM 
with a GUI desktop, I would also appreciate if you would answer my thread 
about this issue - link: 
https://groups.google.com/forum/#!topic/qubes-users/oxaXPDU9SNU

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8f5b485-fb72-463b-aa4c-115069dbffc4%40googlegroups.com.

Re: [qubes-users] Re: How to get Ubuntu 18.04 running in a HVM with a GUI desktop in Qubes OS 4.0.3 ?

['M' via qubes-users]

tirsdag den 17. marts 2020 kl. 16.22.24 UTC+1 skrev Sven Semmler:
>
> On Tue, Mar 17, 2020 at 03:10:07AM -0700, 'M' via qubes-users wrote: 
> > After the installation, I get a short-cut in the "Qubes menu" labelled 
> > "Template: bionic-desktop" with these sub-short-cuts: 1) Help, 2) Qube 
> > Settings and 3) Terminal. 
> > 
> > When pressing on help, a Ubuntu help page appear. 
> > 
> > I don't see any sign of a GUI desktop... 
>
> In Qubes the desktop currently resides in Dom0 and is XFCE by default. 
> The "-desktop" part in the name of the template simply means that the 
> template contains all the Ubuntu desktop applications. 
>
> If you actually want a window with the Ubuntu desktop your only option 
> is to install Ubuntu in a HVM, but then you need to install the specific 
> qubes agent programs in it to restore the file transfer / copy & paste 
> facilities. 
>
> Tip: if you launch "Qube Settings" and go to the applications tab you 
> will see a list of all the apps that are available in this template. By 
> adding them to the right side, they will appear in the Qubes Menu. Maybe 
> that gives you what you want? 
>
> /Sven 
>
> -- 
>  public key: https://www.svensemmler.org/0x8F541FB6.asc 
> fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 
>
>

Arh, thank you. I didn't know that.

Can the need to install the specific qubes agent programs in the HVM be the 
reason why I haven't been able to surf the web from inside a Debian HVM ? - 
you may see my other thread about this.

When it is possible to only make shortcuts in the Qube Menu for the 
programs that I would like to use, can I then delete the template again and 
just install the music programs I would like to use in the preinstalled 
Debian template... ?

If so:

1)  Shall I just delete the Ubuntu template Qube again by open the Qube 
Manager and click on delete qube, or do I have to delete other things ?

2)  Can I just delete the Template file from dom0 by using the file 
manager, or do I have to delete or edit other files and if so which ?

3)  How can I install a specific program in the preinstalled Debian 10 
template - for example this program: https://flavio.tordini.org/musique ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3cf64477-fc11-4675-be0e-a8a2d9514137%40googlegroups.com.

Re: [qubes-users] Salt Orchestration, vol.2

[unman]

On Tue, Mar 17, 2020 at 11:46:51AM +, Micha?? "rysiek" Wo??niak wrote:
> Hey hey,
> 
> I started diving more deeply into Salt on QubesOS, since now I have two 
> laptops
> with very similar config. One thing I'd like to use is Salt Orchestrate 
> runner:
> https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html
> 
> My use-case is: I need to enable networking on some templates (`dom0:
> qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
> disable networking on those templates.
> 
> So basically, I need Salt's `require`, but working *across* minions.
> 
> Seems like it's available on R4.0. Before I dive deep into trying to get it 
> into
> a functioning state (ha!), has anyone played with it? And most importantly: 
> how
> bad of an idea is it?
> 
> 
> Yes, I know enabling networking in templates is a Bad Idea, that's why I only
> want to do it temporarily and in a well-managed way. But yes, other ideas on 
> how
> to get this code into the templates are obviously welcome too -- I considered
> just putting it directly in my salt configs repo (that I then manually copy to
> dom0:/srv/salt/), but why would I want code that is supposed to be only 
> running
> on TemplateVMs in dom0 at all, right?
> 
> --
> rysiek
> 

It's relatively easy to use requires in salt calls - not really working
across minions, because there's only one minion in Qubes implementation.

In your case, I'd propose an alternative. Provision a "git" qube to do
the pull, and then copy the repo in to template where you will.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200317161520.GD29569%40thirdeyesecurity.org.

Re: [qubes-users] Salt Orchestration, vol.2

[Wojtek Porczyk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, Mar 17, 2020 at 11:46:51AM +, Michał "rysiek" Woźniak wrote:
> Hey hey,

Hej, rysiek!

> I started diving more deeply into Salt on QubesOS, since now I have two 
> laptops
> with very similar config. One thing I'd like to use is Salt Orchestrate 
> runner:
> https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html
> 
> My use-case is: I need to enable networking on some templates (`dom0:
> qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
> disable networking on those templates.
> 
> So basically, I need Salt's `require`, but working *across* minions.

I don't think that's possible. In principle Qubes' salt integration is
salt-ssh on steroids.

Relevant qrexec:
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubes.SaltLinuxVM
Launched from:
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubesctl
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubessalt/__init__.py

> Seems like it's available on R4.0. Before I dive deep into trying to get it 
> into
> a functioning state (ha!), has anyone played with it? And most importantly: 
> how
> bad of an idea is it?

It is bad. There are multiple ways for this to fail for some very unrelated
reasons. My most-often encountered problem with salt is it sometimes fails to
start the mgmt dispvm for memory fragmentation reasons. So if this was
supported, the failure mode would be: enable network, do something, fail to
disable network.

Also remember that the error reporting is not that good, esp. for this case.

> Yes, I know enabling networking in templates is a Bad Idea, that's why I only
> want to do it temporarily and in a well-managed way. But yes, other ideas on 
> how
> to get this code into the templates are obviously welcome too -- I considered
> just putting it directly in my salt configs repo (that I then manually copy to
> dom0:/srv/salt/), but why would I want code that is supposed to be only 
> running
> on TemplateVMs in dom0 at all, right?

If you need *code*, you could either just push it from dom0 (since that is
where you have salt in the first place). Or, with git, you can try this:
https://github.com/woju/qubes-app-split-git.


- -- 
pozdrawiam / best regards   _.-._
Wojtek Porczyk   .-^'   '^-.
Invisible Things Lab |'-.-^-.-'|
 |  |   |  |
 I do not fear computers,|  '-.-'  |
 I fear lack of them.'-._ :  ,-'
-- Isaac Asimov `^-^-_>
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEaO0VFfpr0tEF6hYkv2vZMhA6I1EFAl5w8+4ACgkQv2vZMhA6
I1GtWg/8Ce1soJZVyuqkIamiCrb/VE1YcOLNolsHsKvyxervrFVkQ0Zo1KokI03h
qTgJ0l4D6YGaSVBxJhEcPNN1lONkJ1vQkQmxWPtXMGLEpHPJYuBjDkKxHINjSRc6
mcga0xx/EqhECUgL8+Qkij6zcAyMxwiA4KxQzYetBZlPxDqjt9J9fD98sKIPFduA
tkdM38zcSv/Y1XxkGzWbW34nn5FYjJsZF0Ki/68bjiAfcBFfWa43P1YxuebLAR/7
taEWgKolole96XSD2knegOEgLxJz4JudIiYh27kYjFt2gn5GGcsPE/kzJCwDKTXi
RCzQ/r7IXNhLMVqfQVnSYIHM8vpHWt12cc8qy7BmZHgouV/Vftvw3aXj6IJEZK8v
jgIU9mAuWhpue4tsLzHwDx/aHoHft56EkgSiqxCbPN6TuH+r0+/RbDLEdhLBglZj
DI+OSgOdpeR177e+CjI6wrPEFGnsEFu6STirXb8WOIMKglbnokT2QIVr1089whIw
mkFirRLB+3dKCTMenslFDJrpg2w2RLlcwo4k44TO3wEMh9OXhfoueOHiUDAg64KF
dinXJjW5dbrZ1i8pSoCGJrSc1jisC4I3/D7a+n1wLdPvAmbO8Qcdki81vuEE6YrI
1IsxIz9k7yR9b7g/8zhiK/vkvl6xV/w3yhmMCDMczZ3RFymdiRs=
=AWuf
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200317155943.GA1254%40invisiblethingslab.com.

Re: [qubes-users] Full networking between VMs

[unman]

On Tue, Mar 17, 2020 at 08:03:51AM -0700, arthur.summ...@gmail.com wrote:
> Qubes is the only well-maintained type-1 client hypervisor that exists as 
> far as I know. I tried XenClient earlier in the decade, and it was an 
> awesome product in my opinion. However, it ceased development.
> 
> I think my use-case could be accomplished via iptables rules, but as I 
> mentioned, I've never been very good with those rules and don't use it 
> enough to have become proficient. This page is a good starting point and 
> specifically mentions my use-case:
> https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
> 
> However, rules have to be added to sys-firewall *and* each VM on a per-IP 
> basis. I would think there is a way to add a rule to sys-firewall that 
> would open networking between all VMs by using CIDR blocks. Yes? No?
> 
> For those still concerned with security, it would always be possible to 
> have two sys-firewall VMs: one to provide the default isolation and one to 
> allow networking between systems. That would be a great setup, but I just 
> don't know how to do it.
> 
> On Monday, March 16, 2020 at 11:31:17 PM UTC-5, Sven Semmler wrote:
> >
> > On Mon, Mar 16, 2020 at 09:16:40PM -0700, arthur...@gmail.com 
> >  wrote: 
> > > Interesting. It seems a little dated, though. Have you ever used it? 
> > > 
> > > On Monday, March 16, 2020 at 11:10:22 PM UTC-5, Sven Semmler wrote: 
> > > > This looks like what you want: 
> > > > https://github.com/Rudd-O/qubes-network-server 
> > > > (last updated in Nov 2018) 
> >
> > Nope. I don't have your use case. I wonder if plain vanilla hypervisors 
> > wouldn't be a better fit for you. 
> >
> > /Sven 
> >

The convention here is not to top-post.
Please scroll to the bottom of the message before you start typing. Or
reply inline.
It only takes you seconds, makes it much easier to follow threads, and
cumulatively saves your fellow users hours.

In *full* knowledge of what you are doing you probably only need to add 1
rule at the sys-firewall level in the FORWARD chain:
iifname "vif*" oifname "vif*" accept
You will still need to add incoming allow rules in INPUT chain per qube, 
depending on
what service they offer. Not a huge issue.

The idea of having multiple sys firewalls is easy to implement, depending
on how you want it to work. Give some more detail on exactly what you
want. (Clearly stating the aim is the first step toward solution.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200317155734.GC29569%40thirdeyesecurity.org.

Re: [qubes-users] Errors were encountered while processing:, qubes-core-agent-passwordless-root? (now cant install things?)

[unman]

On Mon, Mar 16, 2020 at 04:16:57PM -0400, Stumpy wrote:
> Hi, my previous post was perhaps inappropriate in that i mixed posts so i am
> repostin gjust about this one issue.
> 
> I am now getting the following when i try to update or install anything (in
> this case lutris)
> 
> user@gaming:~$ sudo apt-get install lutris
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following additional packages will be installed:
>   cabextract curl fluid-soundfont-gm fluid-soundfont-gs
> gir1.2-gdesktopenums-3.0 gir1.2-gnomedesktop-3.0 lib32gcc1
>   libc6-i386 libcurl4 libmspack0 mesa-utils p7zip python3-evdev python3-yaml
> Suggested packages:
>   fluidsynth timidity p7zip-full python-evdev-doc
> The following packages will be REMOVED:
>   qubes-core-agent-passwordless-root
> The following NEW packages will be installed:
>   cabextract curl fluid-soundfont-gm fluid-soundfont-gs
> gir1.2-gdesktopenums-3.0 gir1.2-gnomedesktop-3.0 lib32gcc1
>   libc6-i386 libcurl4 libmspack0 lutris mesa-utils p7zip python3-evdev
> python3-yaml
> 0 upgraded, 15 newly installed, 1 to remove and 1 not upgraded.
> 1 not fully installed or removed.
> Need to get 0 B/128 MB of archives.
> After this operation, 174 MB of additional disk space will be used.
> Do you want to continue? [Y/n] y
> (Reading database ... 149744 files and directories currently installed.)
> Removing qubes-core-agent-passwordless-root (4.0.51-1+deb10u1) ...
> Removing user user from group sudo
> gpasswd: user 'user' is not a member of 'sudo'
> dpkg: error processing package qubes-core-agent-passwordless-root
> (--remove):
>  installed qubes-core-agent-passwordless-root package post-removal script
> subprocess returned error exit status 3
> Errors were encountered while processing:
>  qubes-core-agent-passwordless-root
> E: Sub-process /usr/bin/dpkg returned an error code (1)
> 
> 
> As a result it seems i cant update and i know i cant install things (and the
> error itself looks, troubling?)
> 
> Thanks in advance

This is a known issue, fixed in updated templates.
The problem (and solution) is clearly stated - 

> Removing user user from group sudo
> gpasswd: user 'user' is not a member of 'sudo'

If you *do* want to remove that package, then (if necessary) create the
group 'sudo' , add 'user' to it, and then remove the package.
sudo su -
(addgroup sudo)
usermod -a -G sudo user
apt remove qubes-core-agent-passwordless-root

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200317153816.GB29569%40thirdeyesecurity.org.

Re: [qubes-users] Installing templates.

[unman]

On Tue, Mar 17, 2020 at 03:39:36AM -0700, 'M' via qubes-users wrote:
>  
> Unman I have tried to download and install the following file as I expected 
> the file to create a GUI Ubuntu desktop: 
> https://qubes.3isec.org/Templates_4.0/qubes-template-bionic-desktop-4.0.1-202001121248.noarch.rpm
> 

Your expectation was misplaced. It is a template that provides the
desktop flavor, and thus includes normal desktop tools. (Like choosing
this during course of install.)

> I got a template shortcut in the qube-menu, but I can't see any GUI Ubuntu 
> desktop.

Install Ubuntu and run it as a standalone HVM, although I dont
understand why you would want to do this.

> 
> Shall I do some more to be able to get a window with the GUI Ubuntu 
> desktop, and if so what ?

Install Ubuntu and run it as a standalone HVM, although I dont
understand why you would want to do this.

> 
> You may also see or answer my thread here about it: 
> https://groups.google.com/forum/#!topic/qubes-users/9tjB9vTbArc
> 

As I've said before it's not helpful running across multiple threads. I
mean helpful to other people - I have no idea if you find it helpful. I
suspect not.
You need to step back, think about what you are trying to do, and doing,
and then clearly state any problem you have.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200317152743.GA29569%40thirdeyesecurity.org.

Re: [qubes-users] Re: How to get Ubuntu 18.04 running in a HVM with a GUI desktop in Qubes OS 4.0.3 ?

[Sven Semmler]

On Tue, Mar 17, 2020 at 03:10:07AM -0700, 'M' via qubes-users wrote:
> After the installation, I get a short-cut in the "Qubes menu" labelled 
> "Template: bionic-desktop" with these sub-short-cuts: 1) Help, 2) Qube 
> Settings and 3) Terminal.
> 
> When pressing on help, a Ubuntu help page appear.
> 
> I don't see any sign of a GUI desktop...

In Qubes the desktop currently resides in Dom0 and is XFCE by default.
The "-desktop" part in the name of the template simply means that the
template contains all the Ubuntu desktop applications. 

If you actually want a window with the Ubuntu desktop your only option
is to install Ubuntu in a HVM, but then you need to install the specific
qubes agent programs in it to restore the file transfer / copy & paste
facilities. 

Tip: if you launch "Qube Settings" and go to the applications tab you
will see a list of all the apps that are available in this template. By
adding them to the right side, they will appear in the Qubes Menu. Maybe
that gives you what you want?

/Sven

-- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200317152213.GA1145%40app-email-private.


signature.asc
Description: PGP signature

Re: [qubes-users] Full networking between VMs

[arthur . summers]

Qubes is the only well-maintained type-1 client hypervisor that exists as 
far as I know. I tried XenClient earlier in the decade, and it was an 
awesome product in my opinion. However, it ceased development.

I think my use-case could be accomplished via iptables rules, but as I 
mentioned, I've never been very good with those rules and don't use it 
enough to have become proficient. This page is a good starting point and 
specifically mentions my use-case:
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes

However, rules have to be added to sys-firewall *and* each VM on a per-IP 
basis. I would think there is a way to add a rule to sys-firewall that 
would open networking between all VMs by using CIDR blocks. Yes? No?

For those still concerned with security, it would always be possible to 
have two sys-firewall VMs: one to provide the default isolation and one to 
allow networking between systems. That would be a great setup, but I just 
don't know how to do it.

On Monday, March 16, 2020 at 11:31:17 PM UTC-5, Sven Semmler wrote:
>
> On Mon, Mar 16, 2020 at 09:16:40PM -0700, arthur...@gmail.com 
>  wrote: 
> > Interesting. It seems a little dated, though. Have you ever used it? 
> > 
> > On Monday, March 16, 2020 at 11:10:22 PM UTC-5, Sven Semmler wrote: 
> > > This looks like what you want: 
> > > https://github.com/Rudd-O/qubes-network-server 
> > > (last updated in Nov 2018) 
>
> Nope. I don't have your use case. I wonder if plain vanilla hypervisors 
> wouldn't be a better fit for you. 
>
> /Sven 
>
> -- 
>  public key: https://www.svensemmler.org/0x8F541FB6.asc 
> fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db02370a-a57a-4172-8843-968c542dfc2f%40googlegroups.com.

[qubes-users] Salt Orchestration, vol.2

[rysiek]

Hey hey,

I started diving more deeply into Salt on QubesOS, since now I have two laptops
with very similar config. One thing I'd like to use is Salt Orchestrate runner:
https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html

My use-case is: I need to enable networking on some templates (`dom0:
qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
disable networking on those templates.

So basically, I need Salt's `require`, but working *across* minions.

Seems like it's available on R4.0. Before I dive deep into trying to get it into
a functioning state (ha!), has anyone played with it? And most importantly: how
bad of an idea is it?


Yes, I know enabling networking in templates is a Bad Idea, that's why I only
want to do it temporarily and in a well-managed way. But yes, other ideas on how
to get this code into the templates are obviously welcome too -- I considered
just putting it directly in my salt configs repo (that I then manually copy to
dom0:/srv/salt/), but why would I want code that is supposed to be only running
on TemplateVMs in dom0 at all, right?

--
rysiek

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8e862aa-244a-0c15-d43e-1bb5c0d543f1%40hackerspace.pl.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Re: How to get on the internet from within a Debian 10.3 HVM, when Debian says that it is connected to the network, but can't get on the internet by using Firefox from within the De

['M' via qubes-users]

tirsdag den 17. marts 2020 kl. 12.09.31 UTC+1 skrev M:
>
> tirsdag den 17. marts 2020 kl. 11.50.48 UTC+1 skrev Frank Schäckermann:
>>
>>
>> lørdag den 14. marts 2020 kl. 21.06.02 UTC+1 skrev M:
>>>
>>> How to get on the internet from within a Debian 10.3 HVM, when Debian 
>>> says that it is connected to the network, but can't get on the internet by 
>>> using Firefox from within the Debian HVM ?
>>>
>>> I have created the Debian HVM by first downloading the DVD 1 file from 
>>> here: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/ to a 
>>> VM. Then create a new HVM by using the GUI and boot the ISO-file from 
>>> another VM. And the installation run successful (without internet 
>>> connection) according to the installer. After the installation I logged in 
>>> to Debian 10.3, and then set up the network by writing the correct IP, 
>>> netmask and gateway address according to the same HVM's "Qube Settings". 
>>> And I have pressed "On" in the menu bar so that Debian says that it is 
>>> connected to the cable network. But I still can't get on the internet. For 
>>> example if I open Firefox, and write "test" in the html field, Firefox tell 
>>> me that it can't connect to the server. And it is from the same pc I'm 
>>> making this thread, so Qubes OS is connected to the internet.
>>>
>>> I should probably also mention that I haven't installed any Qubes-tools 
>>> yet. In case I should try that, please write which packages I shall install 
>>> and where I can find them.
>>>
>>> So I would like some suggestions on what I shall do to get on the 
>>> internet by using Firefox from within the Debian HVM ?
>>>
>>
>>
>>
>> I should probably also mention that I have no problems whatsoever in 
>> getting on the internet from within a Windows 10 HVM or a Linux Mint HVM.
>>
>> So I can't understand why I can't get on the internet from within a 
>> Debian 10.3 HVM the same way as I got connected to the internet in the 
>> Linux Mint HVM.
>>
>> So I still need some suggestions on what I shall do to get on the 
>> internet by using Firefox from within the Debian 10.3 GUI HVM ?
>>
>>
>> Have you set the network configuration in your Debian HVM to „manual“ (as 
>> opposed to „dhcp“) and put the right static IP address, gateway address to 
>> what you see in the qubes‘ settings?
>>
>> And use 255.255.255.0 as the netmask and not the 255.255.255.255 shown in 
>> the settings!
>>
>> That should enable networking.
>>
>> If you don‘t see any IP address in the settings, make sure the qube has a 
>> net-vm set (i.e. sys-firewall) on the first tab in the settings.
>>
>> Regards, Frank
>>
>
>
> Thanks, Frank.
>
> I have changed the gateway-address from 255.255.255.255 to 255.255.255.0, 
> and i still can't use the Firefox browser inside the Debian HVM to get on 
> the internet.
>
> I then tried to delete the 9.9.9.9 DNS address and switch the DNS to 
> "Automatic". But that didn't work either...
>
> Frank have you tried to install the Debian 10.3 like I did and were you 
> able to get on the internet by using the Firefox browser ? - I ask, only to 
> rule things out. Because if so, then it has to be something with my 
> settings. And if not, it still might be the connection between Qubes OS and 
> Debian that doesn't work properly.
>
>
>


I have also compared the network settings in the Debian HVM with the Linux 
Mint HVM, and they look precisely the same. Only the IP-address is 
different.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/36f8408e-0684-4943-b09f-4f72fef4e63f%40googlegroups.com.

Re: [qubes-users] Re: How to get on the internet from within a Debian 10.3 HVM, when Debian says that it is connected to the network, but can't get on the internet by using Firefox from within the De

['M' via qubes-users]

tirsdag den 17. marts 2020 kl. 11.50.48 UTC+1 skrev Frank Schäckermann:
>
>
> lørdag den 14. marts 2020 kl. 21.06.02 UTC+1 skrev M:
>>
>> How to get on the internet from within a Debian 10.3 HVM, when Debian 
>> says that it is connected to the network, but can't get on the internet by 
>> using Firefox from within the Debian HVM ?
>>
>> I have created the Debian HVM by first downloading the DVD 1 file from 
>> here: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/ to a 
>> VM. Then create a new HVM by using the GUI and boot the ISO-file from 
>> another VM. And the installation run successful (without internet 
>> connection) according to the installer. After the installation I logged in 
>> to Debian 10.3, and then set up the network by writing the correct IP, 
>> netmask and gateway address according to the same HVM's "Qube Settings". 
>> And I have pressed "On" in the menu bar so that Debian says that it is 
>> connected to the cable network. But I still can't get on the internet. For 
>> example if I open Firefox, and write "test" in the html field, Firefox tell 
>> me that it can't connect to the server. And it is from the same pc I'm 
>> making this thread, so Qubes OS is connected to the internet.
>>
>> I should probably also mention that I haven't installed any Qubes-tools 
>> yet. In case I should try that, please write which packages I shall install 
>> and where I can find them.
>>
>> So I would like some suggestions on what I shall do to get on the 
>> internet by using Firefox from within the Debian HVM ?
>>
>
>
>
> I should probably also mention that I have no problems whatsoever in 
> getting on the internet from within a Windows 10 HVM or a Linux Mint HVM.
>
> So I can't understand why I can't get on the internet from within a Debian 
> 10.3 HVM the same way as I got connected to the internet in the Linux Mint 
> HVM.
>
> So I still need some suggestions on what I shall do to get on the internet 
> by using Firefox from within the Debian 10.3 GUI HVM ?
>
>
> Have you set the network configuration in your Debian HVM to „manual“ (as 
> opposed to „dhcp“) and put the right static IP address, gateway address to 
> what you see in the qubes‘ settings?
>
> And use 255.255.255.0 as the netmask and not the 255.255.255.255 shown in 
> the settings!
>
> That should enable networking.
>
> If you don‘t see any IP address in the settings, make sure the qube has a 
> net-vm set (i.e. sys-firewall) on the first tab in the settings.
>
> Regards, Frank
>


Thanks, Frank.

I have changed the gateway-address from 255.255.255.255 to 255.255.255.0, 
and i still can't use the Firefox browser inside the Debian HVM to get on 
the internet.

I then tried to delete the 9.9.9.9 DNS address and switch the DNS to 
"Automatic". But that didn't work either...

Frank have you tried to install the Debian 10.3 like I did and were you 
able to get on the internet by using the Firefox browser ? - I ask, only to 
rule things out. Because if so, then it has to be something with my 
settings. And if not, it still might be the connection between Qubes OS and 
Debian that doesn't work properly.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7ee0cb5-d9c9-4a91-b69e-e79cd68ae3d3%40googlegroups.com.

Re: [qubes-users] Re: How to get on the internet from within a Debian 10.3 HVM, when Debian says that it is connected to the network, but can't get on the internet by using Firefox from within the De

[Frank]

>> lørdag den 14. marts 2020 kl. 21.06.02 UTC+1 skrev M:
>> How to get on the internet from within a Debian 10.3 HVM, when Debian says 
>> that it is connected to the network, but can't get on the internet by using 
>> Firefox from within the Debian HVM ?
>> 
>> I have created the Debian HVM by first downloading the DVD 1 file from here: 
>> https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/ to a VM. Then 
>> create a new HVM by using the GUI and boot the ISO-file from another VM. And 
>> the installation run successful (without internet connection) according to 
>> the installer. After the installation I logged in to Debian 10.3, and then 
>> set up the network by writing the correct IP, netmask and gateway address 
>> according to the same HVM's "Qube Settings". And I have pressed "On" in the 
>> menu bar so that Debian says that it is connected to the cable network. But 
>> I still can't get on the internet. For example if I open Firefox, and write 
>> "test" in the html field, Firefox tell me that it can't connect to the 
>> server. And it is from the same pc I'm making this thread, so Qubes OS is 
>> connected to the internet.
>> 
>> I should probably also mention that I haven't installed any Qubes-tools yet. 
>> In case I should try that, please write which packages I shall install and 
>> where I can find them.
>> 
>> So I would like some suggestions on what I shall do to get on the internet 
>> by using Firefox from within the Debian HVM ?
> 
> 
> 
> I should probably also mention that I have no problems whatsoever in getting 
> on the internet from within a Windows 10 HVM or a Linux Mint HVM.
> 
> So I can't understand why I can't get on the internet from within a Debian 
> 10.3 HVM the same way as I got connected to the internet in the Linux Mint 
> HVM.
> 
> So I still need some suggestions on what I shall do to get on the internet by 
> using Firefox from within the Debian 10.3 GUI HVM ?

Have you set the network configuration in your Debian HVM to „manual“ (as 
opposed to „dhcp“) and put the right static IP address, gateway address to what 
you see in the qubes‘ settings?

And use 255.255.255.0 as the netmask and not the 255.255.255.255 shown in the 
settings!

That should enable networking.

If you don‘t see any IP address in the settings, make sure the qube has a 
net-vm set (i.e. sys-firewall) on the first tab in the settings.

Regards, Frank

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/30775-1584442242-655356%40sneakemail.com.

Re: [qubes-users] Installing templates.

['M' via qubes-users]

torsdag den 12. marts 2020 kl. 17.14.15 UTC+1 skrev unman:
>
> On Wed, Mar 11, 2020 at 06:53:58PM +0100, dhorf-hfr...@hashmail.org 
>  wrote: 
> > On Wed, Mar 11, 2020 at 10:46:12AM -0700, redpo...@gmail.com 
>  wrote: 
> > > I've downloaded some ubuntu templates with the .rpm extension.  I have 
> been 
> > > told by someone that I need to put the rpm file into dom0 and then 
> install 
> > > via cli with dnf etc. 
> > 
> > this means you are giving the person who created those rpms or anyone 
> > who managed to compromise their build process or storage/distro chain 
> > full root access in your dom0 == full control over the whole system. 
> > 
> > "not recommended" 
> > 
>
> I provide Ubuntu templates - have done for years. I dont know if these 
> are mine. 
> I provide pre-built Qubes packages for Ubuntu too, at 
> https://qubes.3isec.org 
> I *always* recommend building your own, but there are users who want to 
> try them out or dont think they are able to use QubesBuilder - for those 
> people - "recommended" (with or without quote marks) 
>
> let's dig in to your comment a bit - 
> Compromise the build process - are you aware of new issues in the 
> QubesBuilder process? 
> Compromise storage/distro chain - Nothing is trusted here - the 
> infrastructure is never trusted. 
>
> *Any* package to be installed in dom0 should be signed, and it's for users 
> to determine whether they choose to trust the signer, in awareness of 
> the risk. 
> Dont underestimate it, but dont exaggerate either. 
>
>
> And for anyone wondering about OPs original questions, dom0 has dolphin 
> file manager. 
>
> You can verify the signature on a package using `rpm -K `. 
> `rpm -qpi ` will show you the keyID used to sign the package 
> You should verify the key from multiple sources. 
>
> If you are satisfied, then you may be prepared to copy the package in to 
> dom0. 
> If you have downloaded in /home/user/Downloads on "dload", and package is 
> "foo.rpm", the 
> canonical way to do this is: 
> qvm-run -p  dload 'cat /home/user/Downloads/foo.rpm' > foo.rpm 
>
> Then verify the package again, and install as you will, with 
> `dnf install foo.rpm` 
>

 
Unman I have tried to download and install the following file as I expected 
the file to create a GUI Ubuntu desktop: 
https://qubes.3isec.org/Templates_4.0/qubes-template-bionic-desktop-4.0.1-202001121248.noarch.rpm

I got a template shortcut in the qube-menu, but I can't see any GUI Ubuntu 
desktop.

Shall I do some more to be able to get a window with the GUI Ubuntu 
desktop, and if so what ?

You may also see or answer my thread here about it: 
https://groups.google.com/forum/#!topic/qubes-users/9tjB9vTbArc


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/64a12cc6-f68f-4cf8-bf95-edd0fc6fd04e%40googlegroups.com.

Re: [qubes-users] Errors were encountered while processing:, qubes-core-agent-passwordless-root? (now cant install things?)

[Frank]

> On 16. Mar 2020, at 21:17, Stumpy  wrote:
> 
> Hi, my previous post was perhaps inappropriate in that i mixed posts so i am 
> repostin gjust about this one issue.
> 
> I am now getting the following when i try to update or install anything (in 
> this case lutris)
> 
> user@gaming:~$ sudo apt-get install lutris
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following additional packages will be installed:
>  cabextract curl fluid-soundfont-gm fluid-soundfont-gs 
> gir1.2-gdesktopenums-3.0 gir1.2-gnomedesktop-3.0 lib32gcc1
>  libc6-i386 libcurl4 libmspack0 mesa-utils p7zip python3-evdev python3-yaml
> Suggested packages:
>  fluidsynth timidity p7zip-full python-evdev-doc
> The following packages will be REMOVED:
>  qubes-core-agent-passwordless-root
> The following NEW packages will be installed:
>  cabextract curl fluid-soundfont-gm fluid-soundfont-gs 
> gir1.2-gdesktopenums-3.0 gir1.2-gnomedesktop-3.0 lib32gcc1
>  libc6-i386 libcurl4 libmspack0 lutris mesa-utils p7zip python3-evdev 
> python3-yaml
> 0 upgraded, 15 newly installed, 1 to remove and 1 not upgraded.
> 1 not fully installed or removed.
> Need to get 0 B/128 MB of archives.
> After this operation, 174 MB of additional disk space will be used.
> Do you want to continue? [Y/n] y
> (Reading database ... 149744 files and directories currently installed.)
> Removing qubes-core-agent-passwordless-root (4.0.51-1+deb10u1) ...
> Removing user user from group sudo
> gpasswd: user 'user' is not a member of 'sudo'
> dpkg: error processing package qubes-core-agent-passwordless-root (--remove):
> installed qubes-core-agent-passwordless-root package post-removal script 
> subprocess returned error exit status 3
> Errors were encountered while processing:
> qubes-core-agent-passwordless-root
> E: Sub-process /usr/bin/dpkg returned an error code (1)

If you remove qubes-core-agent-passwordless-root you can’t do sudo anymore 
without quite a bit more configuration.

Therefore, as soon as apt-get removes that package the post-install-scripts 
might fail.

You should be able to get around that by starting a root user terminal in the 
effected qube by executing „qvm-run -u root  xterm“ in a dom0 
terminal.

In the resulting terminal window do „apt-get install 
qubes-core-agent-passwordless-root“ to fix your problem (or apt-get remove ... 
if you actually DO want to remove the package).

Regards, Frank

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/30264-1584441539-286408%40sneakemail.com.

[qubes-users] Re: How to get on the internet from within a Debian 10.3 HVM, when Debian says that it is connected to the network, but can't get on the internet by using Firefox from within the Debian

['M' via qubes-users]

lørdag den 14. marts 2020 kl. 21.06.02 UTC+1 skrev M:
>
> How to get on the internet from within a Debian 10.3 HVM, when Debian says 
> that it is connected to the network, but can't get on the internet by using 
> Firefox from within the Debian HVM ?
>
> I have created the Debian HVM by first downloading the DVD 1 file from 
> here: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/ to a 
> VM. Then create a new HVM by using the GUI and boot the ISO-file from 
> another VM. And the installation run successful (without internet 
> connection) according to the installer. After the installation I logged in 
> to Debian 10.3, and then set up the network by writing the correct IP, 
> netmask and gateway address according to the same HVM's "Qube Settings". 
> And I have pressed "On" in the menu bar so that Debian says that it is 
> connected to the cable network. But I still can't get on the internet. For 
> example if I open Firefox, and write "test" in the html field, Firefox tell 
> me that it can't connect to the server. And it is from the same pc I'm 
> making this thread, so Qubes OS is connected to the internet.
>
> I should probably also mention that I haven't installed any Qubes-tools 
> yet. In case I should try that, please write which packages I shall install 
> and where I can find them.
>
> So I would like some suggestions on what I shall do to get on the internet 
> by using Firefox from within the Debian HVM ?
>



I should probably also mention that I have no problems whatsoever in 
getting on the internet from within a Windows 10 HVM or a Linux Mint HVM.

So I can't understand why I can't get on the internet from within a Debian 
10.3 HVM the same way as I got connected to the internet in the Linux Mint 
HVM.

So I still need some suggestions on what I shall do to get on the internet 
by using Firefox from within the Debian 10.3 GUI HVM ?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3dfa82d-13ae-4e50-9a3f-42eed826%40googlegroups.com.

[qubes-users] Re: How to get Ubuntu 18.04 running in a HVM with a GUI desktop in Qubes OS 4.0.3 ?

['M' via qubes-users]

tirsdag den 17. marts 2020 kl. 11.01.14 UTC+1 skrev M:
>
> mandag den 16. marts 2020 kl. 21.41.32 UTC+1 skrev drbg...@gmail.com:
>>
>> I installed Ubuntu as a HVM and had to muck around with the disc it 
>> installed on as I said (xvda/xvdb etc).  Some worked some didn't.
>>
>> With regards to resolution I did try from within Ubuntu but the maximum 
>> resolution was I think 800X600 which is tiny and it didn't give me any more 
>> options.  Supposedly this is fixable, but I didn't go there.  If you get 
>> that far you will see that the display window cuts off your ability to 
>> access the resolution drop down bar on the right.  Grab the window in the 
>> middle and pull the entire thing to the left and you can then get to the 
>> drop down bar, but mine only had the one resolution option.
>>
>> I didn't go down the template path but Sven kindly posted this below as a 
>> guide.  It probably recreates what you said, but it may provide some finer 
>> detail.  
>>
>> Again, let me know how you get on. 
>>
>> Here's the post:  
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *I'll take a shot at it.Let's say you have a VM called 'web' in which you 
>> downloaded a file'template.rpm' which is not stored 
>> under/home/user/Downloads/template.rm in that 'web' VM.You want to transfer 
>> it to dom0.So in dom0 you will be using a command called qvm-run, which 
>> allows youto run/start programs inside VMs. It has a parameter called 
>> --pass-iowhich let's you see the output of that program in your dom0 
>> terminal.You can test this for example with a simple text file. In your 
>> 'web' VMstart a terminal and use gedit to create a text file test.txt in 
>> yourhome directory (/home/user/test.txt). Put some "hello world!" 
>> textinside and safe it / close gedit. Not in your terminal write 
>> "cat/home/user/test.txt" and you will see the contents of that text file 
>> inthe terminal.Next, go to dom0 and open a terminal there. In that terminal 
>> write:"qvm-run --pass-io web 'cat /home/user/test.txt'"Now you see the 
>> context of the text file in your dom0 terminal. Thefinal step is to add 
>> something to the end of this command: "qvm-run--pass-io web 'cat 
>> /home/user/test.txt' > /home/user/test.txtWhen you run this, instead of 
>> seeing the output in the terminal it isnow written into /home/user/test.txt 
>> in dom0! You can verify with "cat/home/user/test.txt"I've explained this 
>> with a little text file to make it easy tounderstand. Back to your 
>> /home/user/Downloads/template.rpm in the webVM. We can use the same 
>> mechanism:qvm-run --pass-io web 'cat /home/user/Downloads/template.rpm' 
>> >/home/user/template.rpmIt'll take a few secondes or maybe even a minute 
>> depending on yourcomputer and the size of the file. But when it's done you 
>> know havesuccessfully copied the template.rpm into dom0 and can now runsudo 
>> dnf install template.rpmThis is all described a bit more brief 
>> athttps://www.qubes-os.org/doc/copy-from-dom0/ 
>> Cheers,/Sven*
>>
>>
>>
>>
>>
>> On Tuesday, 17 March 2020 06:12:35 UTC+11, M wrote:
>>>
>>> mandag den 16. marts 2020 kl. 18.48.13 UTC+1 skrev redpo...@gmail.com:

 Good luck with this.  I have managed to install Ubuntu but you only get 
 a small window (which apparently is fixable but I didn't go there).  
 Networking is difficult and I could never get it to recognise my wifi 
 adapter.  You could always try and install an Ubuntu template from here: 
 https://qubes.3isec.org/Templates_4.0/  but that entails installing 
 the template in dom0 which I wasn't real keen on.  There is guide here on 
 how to do it.  Let me know if you can't find it and you want it.

 I also into the problems that you are citing.  I solved it by mucking 
 around with installing it on xvda then xvdb etc.  I changed the virtual 
 drive installation options and it worked.  But I'm just letting you know 
 that you will opening a door to some more challenges.  I was trying to 
 install Ubuntu because I know it and I can set up my printers etc, but I 
 gave up and went through the learning of doing all of this on a Fedora 
 template in qubes which was a better result anyway.

 Good luck.  Let us know how you go.  

>>>
>>>
>>> 1)  Thanks for the optimistic view. :)
>>>
>>> 2)  Regarding the small window: Have you tried to change the screen 
>>> resolutions in Ubuntu ? - although you can't get full screen, it should be 
>>> possible to get it at least almost full screen. It works in both Windows 
>>> 10, Linux Mint and Debian 10.3.
>>>
>>> 3)  For me it's fine if just I can get on the internet from within 
>>> Ubuntu by using a cable connection ? - I haven't been able to get it 
>>> working in a Debian GUI HVM, but at least in a Windows 10 and Linux Mint 
>>> HVM. But I 

[qubes-users] Re: How to get Ubuntu 18.04 running in a HVM with a GUI desktop in Qubes OS 4.0.3 ?

['M' via qubes-users]

mandag den 16. marts 2020 kl. 21.41.32 UTC+1 skrev drbg...@gmail.com:
>
> I installed Ubuntu as a HVM and had to muck around with the disc it 
> installed on as I said (xvda/xvdb etc).  Some worked some didn't.
>
> With regards to resolution I did try from within Ubuntu but the maximum 
> resolution was I think 800X600 which is tiny and it didn't give me any more 
> options.  Supposedly this is fixable, but I didn't go there.  If you get 
> that far you will see that the display window cuts off your ability to 
> access the resolution drop down bar on the right.  Grab the window in the 
> middle and pull the entire thing to the left and you can then get to the 
> drop down bar, but mine only had the one resolution option.
>
> I didn't go down the template path but Sven kindly posted this below as a 
> guide.  It probably recreates what you said, but it may provide some finer 
> detail.  
>
> Again, let me know how you get on. 
>
> Here's the post:  
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *I'll take a shot at it.Let's say you have a VM called 'web' in which you 
> downloaded a file'template.rpm' which is not stored 
> under/home/user/Downloads/template.rm in that 'web' VM.You want to transfer 
> it to dom0.So in dom0 you will be using a command called qvm-run, which 
> allows youto run/start programs inside VMs. It has a parameter called 
> --pass-iowhich let's you see the output of that program in your dom0 
> terminal.You can test this for example with a simple text file. In your 
> 'web' VMstart a terminal and use gedit to create a text file test.txt in 
> yourhome directory (/home/user/test.txt). Put some "hello world!" 
> textinside and safe it / close gedit. Not in your terminal write 
> "cat/home/user/test.txt" and you will see the contents of that text file 
> inthe terminal.Next, go to dom0 and open a terminal there. In that terminal 
> write:"qvm-run --pass-io web 'cat /home/user/test.txt'"Now you see the 
> context of the text file in your dom0 terminal. Thefinal step is to add 
> something to the end of this command: "qvm-run--pass-io web 'cat 
> /home/user/test.txt' > /home/user/test.txtWhen you run this, instead of 
> seeing the output in the terminal it isnow written into /home/user/test.txt 
> in dom0! You can verify with "cat/home/user/test.txt"I've explained this 
> with a little text file to make it easy tounderstand. Back to your 
> /home/user/Downloads/template.rpm in the webVM. We can use the same 
> mechanism:qvm-run --pass-io web 'cat /home/user/Downloads/template.rpm' 
> >/home/user/template.rpmIt'll take a few secondes or maybe even a minute 
> depending on yourcomputer and the size of the file. But when it's done you 
> know havesuccessfully copied the template.rpm into dom0 and can now runsudo 
> dnf install template.rpmThis is all described a bit more brief 
> athttps://www.qubes-os.org/doc/copy-from-dom0/ 
> Cheers,/Sven*
>
>
>
>
>
> On Tuesday, 17 March 2020 06:12:35 UTC+11, M wrote:
>>
>> mandag den 16. marts 2020 kl. 18.48.13 UTC+1 skrev redpo...@gmail.com:
>>>
>>> Good luck with this.  I have managed to install Ubuntu but you only get 
>>> a small window (which apparently is fixable but I didn't go there).  
>>> Networking is difficult and I could never get it to recognise my wifi 
>>> adapter.  You could always try and install an Ubuntu template from here: 
>>> https://qubes.3isec.org/Templates_4.0/  but that entails installing the 
>>> template in dom0 which I wasn't real keen on.  There is guide here on how 
>>> to do it.  Let me know if you can't find it and you want it.
>>>
>>> I also into the problems that you are citing.  I solved it by mucking 
>>> around with installing it on xvda then xvdb etc.  I changed the virtual 
>>> drive installation options and it worked.  But I'm just letting you know 
>>> that you will opening a door to some more challenges.  I was trying to 
>>> install Ubuntu because I know it and I can set up my printers etc, but I 
>>> gave up and went through the learning of doing all of this on a Fedora 
>>> template in qubes which was a better result anyway.
>>>
>>> Good luck.  Let us know how you go.  
>>>
>>
>>
>> 1)  Thanks for the optimistic view. :)
>>
>> 2)  Regarding the small window: Have you tried to change the screen 
>> resolutions in Ubuntu ? - although you can't get full screen, it should be 
>> possible to get it at least almost full screen. It works in both Windows 
>> 10, Linux Mint and Debian 10.3.
>>
>> 3)  For me it's fine if just I can get on the internet from within Ubuntu 
>> by using a cable connection ? - I haven't been able to get it working in a 
>> Debian GUI HVM, but at least in a Windows 10 and Linux Mint HVM. But I 
>> would like to install a program that only works with Debian and Ubuntu, so 
>> I need to at least get either Debian or Ubuntu to work and being able to 
>> connect to the internet.
>>
>> 4)  Than

Antw: [EXT] [qubes-users] where to update initramfs & disable novevu? trying to get nvidia drivers to work

[Ulrich Windl]

>>> "'Bhyrf' via qubes-users"  schrieb am 
>>> 14.03.2020
um 20:22 in Nachricht
<29653_1584213784_5E6D2F17_29653_305_1_T4hbegaMXmdfNdKSaXu_tEyzBmPpymhe77AzL9qXr
S6vvxtqopHcNmsU0XLrR-LLzqoM_e12-oU4hyKUuxGOhmTAjE81ElMbGZsZpB77xw=@protonmail.co
 
>:
> firstly i would like to say i am mostly aware of what i am doing, im running 
> into an issue where certain HVMs arent working because of my GPU, i was able 
> to confirm this by rebooting with onboard intel graphics and it worked 
> flawlessly, but i insist on wanting to use my gpu for graphics and its not 
> feasible for me to go and buy a compatible out of the box gpu right now, 
> besides, the hcl confirms that my setup should work
> 
> i have got nvidia drivers on dom0, but i cant install it because noveavu 
> kernel driver is running, i have modprobe blacklisted noveavu but i suspect 
> grub is enabling it and it is also enabled in initramfs
> 
> my problems are that i cant find where and how to modify the initramfs, i 
> still havent yet managed to understand the architecture of qubeos and i was 
> planning to learn organicly but this is forcing me right down the pipe and 
> thus im struggling
> 
> i tried to access /boot/efi on dom0 and im getting access denied, sudoing 
> succeeds but it doesnt even take me into the directory, which is confusing, 
> i've verified its mounted and its mounted where it should be

Did you try "sudo -s"?

> 
> i wouldnt say im clueless, but many hours are going by upon each discovery 
> and that discovery gets me no closer because i have an issue like not being 
> able to get into the dir, itd be much appreciated if i could get some help 
> with this! thank u all
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/T4hbegaMXmdfNdKSaXu_tEyzBmPpymh 
> e77AzL9qXrAS6vvxtqopHcNmsU0XLrR-LLzqoM_e12-oU4hyKUuxGOhmTAjE81ElMbGZsZpB77xw%
> 3D%40protonmail.com.




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5E7075BB02A100037D3E%40gwsmtp.uni-regensburg.de.