subject:"\[qubes\-users\] Re\: qubes\-mirage\-firewall 0.5"

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-09 Thread one7two99

On Tuesday, 9 April 2019 00:08:58 UTC+2, qmirfw  wrote:

> I don't understand why you want to do all that in a TemplateVM, 
> and not an AppVM.
> Also why fight with Fedora, if my simple Debian based build gives the
> same binary as the official (equal checksum) [...]

you are right that using a full fedora-29 would not do any harm, therefore I 
have used this template and luckily everything was very easy to setup.
Thanks for the support!

I have compiled all info which I need to setup Mirage-FW in a short howto, 
which might also be helpfull to others in a way that all steps can be run from 
dom0 which is much easier and which can be scripted (for example to rebuild 
your Qubes Setup from a default installation):

@Mirage Firewall-Team:
I think creating a document/script which does the build process for the user, 
will improve end user experience setting up mirage.

- 8< - - - - 
MirageFW-BuildVM=my-mirage-buildvm
TemplateVM=fedora-29
MirageFWAppVM=sys-mirage-fw

# create a new VM to build mirage via docker
qvm-create $MirageFW-BuildVM --class=AppVM --label=red --template=$TemplateVM

# Resize private disk to 10 GB
qvm-volume resize $MirageFW-BuildVM:private 10GB

# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui $MirageFW-BuildVM \
  'sudo mkdir /home/user/var_lib_docker && \  
   sudo ln -s /var/lib/docker /home/user/var_lib_docker'

# Install docker and git
qvm-run --pass-io --no-gui $MirageFW-BuildVM \
  'sudo dnf -y install docker git'

# Launch docker
qvm-run --pass-io --no-gui $MirageFW-BuildVM \
  'sudo systemctl start docker'

# Download and build mirage for qubes
qvm-run --pass-io --no-gui $MirageFW-BuildVM \
  'git clone https://github.com/mirage/qubes-mirage-firewall.git && \
   cd qubes-mirage-firewall && \
   git pull origin pull/52/head && \
   sudo ./build-with-docker.sh'

# Copy the new kernel to dom0
cd /var/lib/qubes/vm-kernels
qvm-run --pass-io $MirageFW-BuildVM 'cat 
qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf -

# create the new mirage firewall
qvm-create \
  --property kernel=mirage-firewall \
  --property kernelopts=None \
  --property memory=32 \
  --property maxmem=32 \
  --property netvm=sys-net \
  --property provides_network=True \
  --property vcpus=1 \
  --property virt_mode=pv \
  --label=green \
  --class StandaloneVM \
  $MirageFWAppVM

# The build VM could be deleted if you don't want to keep it
# but if you want to upgrade Mirage Firewall for Qubes OS,
# you need to rebuild this VM.
qvm-shutdown --wait $MirageFW-BuildVM
qvm-remove --force $MirageFW-BuildVM

- 8< - - - - 

Link: 
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md

Now the next steps are to learn, how to tweak the firewall to allow specific 
communication between AppVMs, for example ssh/http.
Thanks to all for the help/suggestions.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ca3a0ecf-5e5e-40cb-a102-5679eee38cae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 'qmirfw' via qubes-users

On Tuesday, April 9, 2019 1:42 AM, 799  wrote:

> Thanks for the summary, this is what I was looking for. I am using 
> fedora-29-minimal for all my AppVM's, therefore I didn't thought that the 
> problem might be template related.
> I'll run the same steps you did tomorrow.

Yes I noticed after posting that you used fedora-29-minimal and tried to do the 
build in a minimal based AppVM and sure enough, got the same error as you. 
However I'm no fedora person, not much of a docker guy and a first timer with 
mirage, so I'll don't really want to go after this. Especially as the AppVM is 
only for the build and can be thrown away after that.

>
> As far as I have understand the VM is just for the building process and that 
> I can find the result a file called mirage-firewall.tar.bz2 in the _build 
> folder afterwards and that I need to transfer this folder to dom0 and unpack 
> it to /var/lib/qubes/vm-kernels 
> Then I can use the new kernel.

Exactly. (Or if you don't trust that the .tar.bz2 file won't try to exploit a 
bug in dom0 upon decompression, just transfer the 3 files in it separately. :) )

>
> Maybe a stupid question, but ...
> As the AppVM including docker is just needed to build the kernel, wouldn't it 
> be much easier if the mirage-firewall can be added via a sudo 
> qubes-dom0-update like any other package?
>
> Maybe only in the testing or a community repository?

Sure it would be, but the trust building is never easy.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/DP5IRaiXKghvivW5WP9EmDEo0xZLQ7JUst7pFuOMX9-lac66MyUKIz0eO8XG08GZlCVKXQZIXPQZl42if9LhxWs_76n-PG9YD-NJFRitmdU%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 799

Hello qmirfw,

'qmirfw' via qubes-users  schrieb am Di., 9.
Apr. 2019, 00:51:

> On Monday, April 8, 2019 11:40 PM, 799  wrote:
> > Any ideas what I am missing?
>
> I don't know. I just did a build using fedora (based on unmodified Qubes
> fedora-29 template) and got no error, final checksum checks out. This is
> what I did:
> (...)
>

Thanks for the summary, this is what I was looking for. I am using
fedora-29-minimal for all my AppVM's, therefore I didn't thought that the
problem might be template related.
I'll run the same steps you did tomorrow.

As far as I have understand the VM is just for the building process and
that I can find the result a file called mirage-firewall.tar.bz2 in the
_build folder afterwards and that I need to transfer this folder to dom0
and unpack it to /var/lib/qubes/vm-kernels
Then I can use the new kernel.

Maybe a stupid question, but ...
As the AppVM including docker is just needed to build the kernel, wouldn't
it be much easier if the mirage-firewall can be added via a sudo
qubes-dom0-update like any other package?

Maybe only in the testing or a community repository?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u-EACnBrTKuzy3zgMAjoTv5VM80_2kHMwHWPGteFB83Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 'qmirfw' via qubes-users

On Monday, April 8, 2019 11:40 PM, 799  wrote:
> Any ideas what I am missing?

I don't know. I just did a build using fedora (based on unmodified Qubes 
fedora-29 template) and got no error, final checksum checks out. This is what I 
did:

# # # In dom0 root terminal:
qvm-create miragebuildfedora --class=AppVM --label=red --template=fedora-29
qvm-volume resize miragebuildfedora:private $((20*1024*1024*1024))
qvm-run miragebuildfedora gnome-terminal

# # # In miragebuildfedora user terminal:
sudo mkdir /home/user/var_lib_docker
sudo ln -s /home/user/var_lib_docker /var/lib/docker
sudo dnf install docker
sudo systemctl start docker
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
git pull origin pull/52/head
sudo ./build-with-docker.sh

# # # done.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4TISrE7nVHtrakLBM8mgeOKJcXzDy1RCtjU1kUt-h7luz8kn5ZKR7bIWLX0NqMw6ED8zAlcEkkjdJbix01BfV1m9d3YEK_P01kgIsHaP7BA%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 'qmirfw' via qubes-users



On Monday, April 8, 2019 11:40 PM, 799  wrote:

> I tried to build mirage in a new template VM which is based on 
> fedora-29-minimal, but run into an error.

I don't understand why you want to do all that in a TemplateVM, and not an 
AppVM.

Also why fight with Fedora, if my simple Debian based build gives the same 
binary as the official (equal checksum).

(Quick note, if you insist: you don't have to symlink the docker dir to /home, 
simply increase :root instead of :private)

I'll try the docker build in a fedora appvm and see if I also get that error...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E8QLyxff8j1M60n152zZRX3Qh8VWr9N1riiKNVoCwtQe5XdZnY6uc93IOh4Up5g2uIX9SaPZxzmDM-SolCfWHRpJt09z2D2ZOR2IPyFP3JY%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread haaber


@ 799,  I got these errors when using the repo-version of docker instead
of docker-ce directly (see my last 2-3 posts) here.

See https://docs.docker.com/install/linux/docker-ce/debian/
and https://docs.docker.com/install/linux/docker-ce/fedora/

for download instructions.

@Thomas Leonard: YES, I got through!! My error was my fault, some files
were owned by root and not user, the Lord knows why. Your line
 docker run --rm -it --entrypoint bash -v
$(pwd):/home/opam/qubes-mirage-firewall qubes-mirage-firewall
helped me out of that. THANK YOU for your patience.




On 4/9/19 7:40 AM, 799 wrote:

Hello,

I've created a howto page in the Qubes Community docs to collect all
information which is needed to build/install the mirage firewall for
qubes OS.
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md

I tried to build mirage in a new template VM which is based on
fedora-29-minimal, but run into an error.
Can you take a look and give me a hint what I am missing?

--- --- 8< --- --- --- ---

|MirageTemplateVM=|t-fedora-29-mirage
|# create a new template VM qvm-clone fedora-29-minimal
$|MirageTemplateVM| # Resize private disk to 10 GB qvm-volume extend
|$|MirageTemplateVM||:private 10GB # Create a symbolic link to safe
docker into the home directory qvm-run --auto --user root --pass-io
--no-gui |$|MirageTemplateVM ||\ 'ln -s /var/lib/docker
/home/user/docker' # Install docker and git qvm-run --user root
--pass-io --no-gui |$|MirageTemplateVM ||\ 'dnf -y install docker git' #
To get networking in the template VM qvm-run --auto --user root
--pass-io --no-gui |$|MirageTemplateVM ||\ 'dnf install
qubes-core-agent-networking' qvm-shutdown --wait |$|MirageTemplateVM||
qvm-prefs |$|MirageTemplateVM|| sys-firewall qvm-start
|$|MirageTemplateVM|| # Launch docker qvm-run --user root --pass-io
--no-gui |$|MirageTemplateVM ||\ 'systemctl start docker' # Download and
build mirage for qubes qvm-run --user root --pass-io --no-gui
|$|MirageTemplateVM ||\ 'cd /home/user && \ git clone
https://github.com/mirage/qubes-mirage-firewall.git && \' cd
qubes-mirage-firewall && \ ./build-with-docker.sh'
|
--- --- 8< --- --- --- ---

|Unfortunately I run into an error during the build process:

[...]
|Building Firewall... error while executing ocamlbuild -use-ocamlfind
-classic-display -tags bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs + mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied Command
exited with code 1. Failure: Error during command "mkdir
/home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10) ||

|
|

|Maybe because there is no folder /home/opam/... ??

|

|I have also integrated pull request 52 via:
||qvm-run --user root --pass-io --no-gui |$|MirageTemplateVM ||\ |   'git pull origin 
pull/52/head && \
rm -rf _build && \
sudo ./build-with-docker.sh'

And I have manually created the missing folder above via

|qvm-run --user root --pass-io --no-gui |$|MirageTemplateVM ||\ |   '||mkdir 
/home/opam/qubes-mirage-firewall/'

||

||Even then I still run into the same error.
||

||Any ideas what I am missing?
||

||- O||

--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to qubes-users+unsubscr...@googlegroups.com
.
To post to this group, send email to qubes-users@googlegroups.com
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9BpTd93vgjZ5NL7q%2BMaB49TDE%2BY2uRmJ50CgTuEws7Q%40mail.gmail.com
.
For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79032be9-688f-9e7c-b6ee-5c6ee4a3b7a4%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 799

Hello,

I've created a howto page in the Qubes Community docs to collect all
information which is needed to build/install the mirage firewall for qubes
OS.
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md

I tried to build mirage in a new template VM which is based on
fedora-29-minimal, but run into an error.
Can you take a look and give me a hint what I am missing?

--- --- 8< --- --- --- ---

MirageTemplateVM=t-fedora-29-mirage
# create a new template VM
qvm-clone fedora-29-minimal $MirageTemplateVM

# Resize private disk to 10 GB
qvm-volume extend $MirageTemplateVM:private 10GB

# Create a symbolic link to safe docker into the home directory
qvm-run --auto --user root --pass-io --no-gui $MirageTemplateVM \
  'ln -s /var/lib/docker /home/user/docker'

# Install docker and git
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'dnf -y install docker git'

# To get networking in the template VM
qvm-run --auto --user root --pass-io --no-gui $MirageTemplateVM \
  'dnf install qubes-core-agent-networking'
qvm-shutdown --wait $MirageTemplateVM
qvm-prefs $MirageTemplateVM sys-firewall
qvm-start $MirageTemplateVM

# Launch docker
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'systemctl start docker'

# Download and build mirage for qubes
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'cd /home/user && \
   git clone https://github.com/mirage/qubes-mirage-firewall.git && \'
   cd qubes-mirage-firewall && \
   ./build-with-docker.sh'

--- --- 8< --- --- --- ---

Unfortunately I run into an error during the build process:

[...]
Building Firewall...
error while executing ocamlbuild -use-ocamlfind -classic-display -tags
bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs
+ mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied
Command exited with code 1.
Failure:
  Error during command "mkdir
/home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10)


Maybe because there is no folder /home/opam/... ??

I have also integrated pull request 52 via:
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \  'git pull
origin pull/52/head && \
   rm -rf _build && \
   sudo ./build-with-docker.sh'

And I have manually created the missing folder above via

qvm-run --user root --pass-io --no-gui $MirageTemplateVM \  'mkdir
/home/opam/qubes-mirage-firewall/'

Even then I still run into the same error.

Any ideas what I am missing?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9BpTd93vgjZ5NL7q%2BMaB49TDE%2BY2uRmJ50CgTuEws7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 799

Hello,

'qmirfw' via qubes-users schrieb am Mo., 8.
Apr. 2019, 16:08:

> (...)
> This is what I do:

(...)
>

Unfortunately I don't understand all steps, for example what ...
# Fix the reproducible build
git pull origin pull/52/head
... means.

As the firewall is very (!) important to keep Qubes OS/more specific the
AppVM separation safe, I will only use it, if there is a clear procedure
what needs to be done.

Will it only work with Debian 10 (which doesn't seem to be consider stable,
AFAIK it's not in the Qubes 4 productive repositories yet)?

I would like to see an document which takes the user from a default Qubes 4
installation and ends in working mirage firewall.

Can we build it from a fedora-29 based template?

Also it would be great if we put up the howto on the Qubes Community Docs
so that we can improve it there for future use(ers).
As mentioned I would be happy contributing to the documentation but a
better starting point would be great.

I think a good howto would also include that all steps can be done from
dom0 (via qvm-run) to make scriptable for future and simpler usage.

- O

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u%3DQTQxjKoWZXH7a58JrD4GMdqTEKjUXuAuK6y-7WYguQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 'qmirfw' via qubes-users

‐‐‐ Original Message ‐‐‐
On Monday, April 8, 2019 2:29 PM, haaber  wrote:

> > Addition: but even after successful compilation, the hash still didn't 
> > match for me, probably because of what Thomas Leonard already mentioned ( 
> > https://github.com/mirage/qubes-mirage-firewall/pull/52 ). Can we get a 
> > 0.5.1 release? I'd contribute with a more step-by-step build instructions 
> > doc for Qubes + Debian (no need for Fedora).
>
> Q1: So you got through without the stange " mkdir: cannot create
> directory '/home/opam/qubes-mirage-firewall/_build': Permission denied"
> error at the final build that blocks me ?
>
> Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
> folder without fiddling files by hand?
>


I don't get that mkdir error. After integrating pull/52, the hash matches.

This is what I do:

# # # In dom0 root terminal:

# We can't use a DisposableVM, as their disk size can't be increased while 
running, so let's create a normal AppVM
qvm-create miragebuild --class=AppVM --label=red 
--template=some_debian-10_template
# Give it some space
qvm-volume resize miragebuild:private $((20*1024*1024*1024))
# Run it
qvm-run miragebuild gnome-terminal

# # # In miragebuild VM user terminal:

# The whole docker thing won't fit in /var/lib, but will fit in /home
sudo mkdir /home/user/var_lib_docker
sudo ln -s /home/user/var_lib_docker /var/lib/docker
sudo apt update
sudo apt install docker.io
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
# Fix the reproducible build
git pull origin pull/52/head
# By default docker under Qubes can't get out to the network, so we use 
--network=host, this is a single use VM anyway
sed s/'docker build -t qubes-mirage-firewall .'/'docker build --network=host -t 
qubes-mirage-firewall .'/ build-with-docker.sh >build-with-docker_networkfix.sh
# Let's build
sudo sh ./build-with-docker_networkfix.sh

# done.

After this the hash matches 
(ce9a16b6f5ce0123f289b3586492f9f4b921f6e788f8e333784545807bb1b0f2)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/J5Ngs1ihBgPo5ils86HtcjLrBUX6Fwss5ISUsWzByN_Fi1XxgbTz-2-sWBgxrkT_SH5WSfjWRluxiS8X7uPg-x155LMbMYQH574yMzD56AU%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread Thomas Leonard

On Monday, April 8, 2019 at 1:29:53 PM UTC+1, haaber wrote:
[...]
> Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
> folder without fiddling files by hand?

To test that PR:

git pull origin pull/52/head
rm -rf _build
sudo ./build-with-docker.sh

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27409062-9dee-4f3d-b2a1-08740903bf2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread Thomas Leonard

On Monday, April 8, 2019 at 12:29:30 PM UTC+1, haaber wrote:
> here is some build-news. next hint: give your template a lot of *disk
> space*. My last error was due to that, but of course it did not tell me
> "disc full" but some random other message. So now I am getting closer:
> sudo ./build-with-docker.sh
> 
> 
> Step 9/9:
> Successfully tagged qubes-mirage-firewall:latest
> Building Firewall...
> error while executing ocamlbuild -use-ocamlfind -classic-display -tags
>  bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
>  -pkgs mirage config.cmxs
> + mkdir /home/opam/qubes-mirage-firewall/_build
> mkdir: cannot create directory
> '/home/opam/qubes-mirage-firewall/_build': Permission denied
> Command exited with code 1.
> Failure:
>Error during command "mkdir /home/opam/qubes-mirage-firewall/_build":
> Ocamlbuild_pack.My_std.Exit_with_code(10).
> 
> --
> 
> so we are back with the question of /home/opam instead of /home/user ...
> 
> Is docker trying to write to the "real" /home  or at some sort of
> chroot'ed  /home  inside docker ???   Aaaargh!

`_build` is your _build directory, which is mounted into the chroot by the -v 
option. You can go into the environment yourself and try making it manually to 
find out what the problem is:

$ docker run --rm -it --entrypoint bash -v 
$(pwd):/home/opam/qubes-mirage-firewall qubes-mirage-firewall
opam@aaa050f3779c:~/qubes-mirage-firewall$ mkdir _build

The Docker build user has UID 1000, which should be the same as the default 
qubes user (use "id" inside and outside of the build environment to see).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/35cebfb0-6351-4b7d-a754-2774717baf95%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread haaber

Addition: but even after successful compilation, the hash still didn't match
for me, probably because of what Thomas Leonard already mentioned (
https://github.com/mirage/qubes-mirage-firewall/pull/52 ). Can we get a 0.5.1
release? I'd contribute with a more step-by-step build instructions doc for
Qubes + Debian (no need for Fedora).

Q1: So you got through without the stange " mkdir: cannot create
directory '/home/opam/qubes-mirage-firewall/_build': Permission denied"
error at the final build that blocks me ?

Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
folder without fiddling files by hand?

Cheers, Bernhard

‐‐‐ Original Message ‐‐‐
On Monday, April 8, 2019 2:02 PM, 'qmirfw' via qubes-users
wrote:

The docker container can't access the network. To solve change
docker build -t qubes-mirage-firewall .
to
docker build --network=host -t qubes-mirage-firewall .
in build-with-docker.sh .

This way the container shares the host network, which would be an antipattern,
but we are using throw away VMs anyway.

---

You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/0GONvMBO8vB8TDLM1Q23wBp_xR43tsL-T5-FCkrE2tMxtNJ6CLFs5VMi4CvgbeQ48wh4onn-8YmygB_jPPqTPuDylV4oDr1TBatgvCoPtbw%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2fbd61a6-b14e-eb37-e946-1fe774ab3641%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 'qmirfw' via qubes-users

Addition: but even after successful compilation, the hash still didn't match 
for me, probably because of what Thomas Leonard already mentioned ( 
https://github.com/mirage/qubes-mirage-firewall/pull/52 ). Can we get a 0.5.1 
release? I'd contribute with a more step-by-step build instructions doc for 
Qubes + Debian (no need for Fedora).


‐‐‐ Original Message ‐‐‐
On Monday, April 8, 2019 2:02 PM, 'qmirfw' via qubes-users 
 wrote:

> The docker container can't access the network. To solve change
> docker build -t qubes-mirage-firewall .
> to
> docker build --network=host -t qubes-mirage-firewall .
> in build-with-docker.sh .
>
> This way the container shares the host network, which would be an 
> antipattern, but we are using throw away VMs anyway.
>
> ---
>
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/0GONvMBO8vB8TDLM1Q23wBp_xR43tsL-T5-FCkrE2tMxtNJ6CLFs5VMi4CvgbeQ48wh4onn-8YmygB_jPPqTPuDylV4oDr1TBatgvCoPtbw%3D%40protonmail.com.
> For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/VzJOSk0s9h5xwih4QV6W0VkV-yxRYjGmG3YHpGn51IFPY77pLAY0GEQZKfTueBomXaq4vMAK7bvgdDhrmJwsw88dSoAbms8FAVPpPZiwTJY%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread 'qmirfw' via qubes-users

The docker container can't access the network. To solve change
docker build -t qubes-mirage-firewall .
to
docker build --network=host -t qubes-mirage-firewall .
in build-with-docker.sh .

This way the container shares the host network, which would be an antipattern, 
but we are using throw away VMs anyway.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0GONvMBO8vB8TDLM1Q23wBp_xR43tsL-T5-FCkrE2tMxtNJ6CLFs5VMi4CvgbeQ48wh4onn-8YmygB_jPPqTPuDylV4oDr1TBatgvCoPtbw%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread haaber


here is some build-news. next hint: give your template a lot of *disk
space*. My last error was due to that, but of course it did not tell me
"disc full" but some random other message. So now I am getting closer:
sudo ./build-with-docker.sh


Step 9/9:
Successfully tagged qubes-mirage-firewall:latest
Building Firewall...
error while executing ocamlbuild -use-ocamlfind -classic-display -tags
bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs
+ mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied
Command exited with code 1.
Failure:
  Error during command "mkdir /home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10).

--

so we are back with the question of /home/opam instead of /home/user ...

Is docker trying to write to the "real" /home  or at some sort of
chroot'ed  /home  inside docker ???   Aaaargh!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9068b85f-d93d-9be7-5839-834efa2ffc29%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread haaber




> I believe that the Qubes sys-firewall by default prevents template
VMs > from connecting to anything except their package repositories.
It's OK > to install Docker in a template VM if you want, but everything
else
> should be done in an AppVM.

no, I use a StandAlone debian buster with net acces via sys-firewall.



> I've added more details at
https://github.com/mirage/qubes-mirage-firewall/pull/51/files
>
> I tested this with Debian 9, but I assume it would work the same on
> Debian 10.
>
> By the way, while testing it I found one case where the hash can
> change even with Docker, and proposed a fix for that at
> https://github.com/mirage/qubes-mirage-firewall/pull/52


So here is some progress. Do not use debian repo's for docker (at least
not if your debian is <= buster). They are still too old. Rather install
from docker itself, like explained here

https://docs.docker.com/install/linux/docker-ce/debian/

hint: download the pgp key via tor with a reasonable time-delay to
reduce a bit the risk of getting served tampered keys. Since you
probably cannot verify it further, that is all one can do.

The newest docker  allows to pass my previous problem (git error
message). But of course building wouldn't be fun if it just went
through, right? So, now it stops here:


<><> jbuilder.transition installed successfully
<><><><><><><><><><><><><><><><>
=> Jbuilder has been renamed and the jbuilder package is now a
transition package. Use the dune package instead.
# Run eval $(opam env) to update the current shell environment

The former state can be restored with:
opam switch import
"/home/opam/.opam/4.07/.opam-switch/backup/state-20190408104449.export"
The command '/bin/sh -c opam install -y vchan xen-gnt mirage-xen-ocaml
mirage-xen-minios io-page mirage-xen mirage mirage-nat mirage-qubes'
returned a non-zero code: 31

--


Of course, I have even less clues what that is about. Let's see.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d8f3ebf-3262-ddd3-a5f1-92d8ddd3958c%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-08 Thread Thomas Leonard

On Monday, April 8, 2019 at 2:20:28 AM UTC+1, haaber wrote:
> > On Sunday, April 7, 2019 at 6:06:13 AM UTC+1, haaber wrote:
> >> Hey Thomas,
> >>
> >> I are right, it that was definitely better to put the FAQ on the site
> >> (and this list). I did set up a standalone debian-10 to build, and the
> >> process went through smoothly. Thank you. The 'but' comes now: BUT, in
> >> the end the checksum fails!
> >
> > Did you use Docker to build it in your standalone qube? It should match if 
> > so. If not, it's unlikely to match because you're probably building against 
> > different library versions.
> 
> OK that is a convincing argument for docker. So: I did it, actually
> three times, more and more frustrated. First in my "failed" template,
> then after having wiped old build remainders, then, to be sure, in a
> brand new debian-10. I did (and only did(!), since it was a brand new
> template)
> 
> sudo apt-get install docker docker.io
> git clone https://github.com/mirage/qubes-mirage-firewall.git
> cd qubes-mirage-firewall
> su
> bash -x ./build-with-docker.sh
> 
> 
> This fails, reproducibly over two days and several templates. Here is
> the output (sorry, a few lines)
[...]
> fatal: Unable to look up github.com (port 9418) (Temporary failure in
> name resolution)

I believe that the Qubes sys-firewall by default prevents template VMs from 
connecting to anything except their package repositories. It's OK to install 
Docker in a template VM if you want, but everything else should be done in an 
AppVM.

I've added more details at 
https://github.com/mirage/qubes-mirage-firewall/pull/51/files

I tested this with Debian 9, but I assume it would work the same on Debian 10.

By the way, while testing it I found one case where the hash can change even 
with Docker, and proposed a fix for that at 
https://github.com/mirage/qubes-mirage-firewall/pull/52

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7d1494e-aea5-4ba1-883c-6fc805f71af0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-07 Thread haaber


Hi 799,


Arezo using a standalone Debian VM to build the docket image?
Additionally, does it have to be a Debian 10?
As far as I know debian-10 is in testing (?).


If you look at the instructions in
https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md
you'll see that building appears "thought" rather for fedora than
debian. But Thomas Leonard states that debian should work, as well. I
simply had removed all of Fedora from my machine (but dom0 :), and I
like to keep it that way.

Of course debian buster is testing, but it is rather in the end of its
testing phase. Many packages are more recent than in stretch. That made
me go this way. If I should get to solve it, I'll post here how I did,
of course.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/28134948-f4a2-f352-d329-83f9fe544475%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-07 Thread 799

Hello haaber,

As you have at least some more progress and are currently busy resolving
issues with the build process, maybe you can help me coming to this point.

haaber  schrieb am Mo., 8. April.

> (...) So: I did it, actually
> three times, more and more frustrated.


Arezo using a standalone Debian VM to build the docket image?
Additionally, does it have to be a Debian 10?
As far as I know debian-10 is in testing (?).

I would like to use fedora-29 as my base image, as all my other templates
are also fedora based - will this work?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vhkU7oveQxJKefsDp6R8MqZ8S5fa01CAFrgwfbVd4MtQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-07 Thread haaber

On Sunday, April 7, 2019 at 6:06:13 AM UTC+1, haaber wrote:

Hey Thomas,

I are right, it that was definitely better to put the FAQ on the site
(and this list). I did set up a standalone debian-10 to build, and the
process went through smoothly. Thank you. The 'but' comes now: BUT, in
the end the checksum fails!

Did you use Docker to build it in your standalone qube? It should match if so.
If not, it's unlikely to match because you're probably building against
different library versions.

OK that is a convincing argument for docker. So: I did it, actually
three times, more and more frustrated. First in my "failed" template,
then after having wiped old build remainders, then, to be sure, in a
brand new debian-10. I did (and only did(!), since it was a brand new
template)

sudo apt-get install docker docker.io
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
su
bash -x ./build-with-docker.sh

This fails, reproducibly over two days and several templates. Here is
the output (sorry, a few lines)

+ set -eu
+ echo Building Docker image with dependencies..
Building Docker image with dependencies..
+ docker build -t qubes-mirage-firewall .
Sending build context to Docker daemon 81.41kB
Step 1/9 : FROM
ocaml/opam2@sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562
sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562:
Pulling from ocaml/opam2
ab1fc7e4bf91: Pull complete
6f18bf102670: Pull complete
699ebb14d422: Pull complete
cf587ba18bc9: Pull complete
d3a929149973: Pull complete
9a6a034ad342: Pull complete
9bb3db9d2528: Pull complete
b87ea99b2663: Pull complete
b53e97a27ef2: Pull complete
Digest:
sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562
Status: Downloaded newer image for
ocaml/opam2@sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562
---> c1014001338e
Step 2/9 : RUN git fetch origin && git reset --hard
c261c4ee9c1ef032af93483913b60f674d4acdb2 && opam update
---> Running in 41cc0084931b
fatal: Unable to look up github.com (port 9418) (Temporary failure in
name resolution)
The command '/bin/sh -c git fetch origin && git reset --hard
c261c4ee9c1ef032af93483913b60f674d4acdb2 && opam update' returned a
non-zero code: 128

Of course, I DID check that I can resolve and ping github, and that the
port is up and open (nmap). So this error message is not quite
understandable. I feel stupid and helpless. That's the downside of
building I experience for decades now : if you could not build all by
hand yourself, any build scripts will betray you sooner or later. Sadly
yours,

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ed3a7ede-0ece-f76f-31d9-661542cee982%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-07 Thread Thomas Leonard

On Sunday, April 7, 2019 at 6:06:13 AM UTC+1, haaber wrote:
> Hey Thomas,
> 
> I are right, it that was definitely better to put the FAQ on the site
> (and this list). I did set up a standalone debian-10 to build, and the
> process went through smoothly. Thank you. The 'but' comes now: BUT, in
> the end the checksum fails!
> 
> sha256sum vmlinuz
> 570be5685298acb014cfaec132a35469e1cafbe2f731945dc5c57e8956e6638f

Did you use Docker to build it in your standalone qube? It should match if so. 
If not, it's unlikely to match because you're probably building against 
different library versions.

> I stored the output of find . -type f -exec sha256sum \{} \;  of the
> qubes-mirage-firewall folder in this file
> 
> https://framabin.org/p/?d9b2b5de724e5c2a#20uFbk/hVlaZnMqHYQ/DXjv9Lav3+Y8Fw7rU05k1IhY=
> 
> to avoid sending 260 lines here. If someone has recently build the
> version 0.5, could you run a diff on that to see what happened ? Cheers,
> Bernhard

If you want to check that building without Docker gives exactly the same result 
as building with it (which might not be too easy...) you'll need to make sure 
that every installed OCaml library has the same version at least.

I'd suggest copying the firewall directory and building the copy with Docker 
(be sure to delete the copied _build directory first). Then you can compare 
between the two on your own computer.

For example, running "opam list" will show you the local (non-Docker) versions 
chosen.

To enter the Docker virtual build environment (after building), do:

$ docker run --rm -it --entrypoint bash qubes-mirage-firewall

That will get you a bash prompt, and you can run "opam list" there to see which 
versions the Docker build is using, and compare.

Note that any changes you make within the Docker build environment will be lost 
when you exit the shell.

To make sure it always uses the same version, the Docker image contains a Git 
clone of the opam repository, which it pins (in Dockerfile) to a particular 
commit. That means that the build-with-docker script will always build against 
the versions available at that fixed point in time, not the latest ones.

You might also find that Debian packages affect it (e.g. make sure you have the 
same version of gcc, as there are a few C source files used too).

If you need to get things in or out of the Docker environment, you can use -v 
to share a directory. e.g.

$ docker run --rm -it -v $(pwd):/mnt --entrypoint bash qubes-mirage-firewall

will share the current directory with Docker, mounted at `/mnt` in the virtual 
environment.

You might also be interested in the console output from the Travis CI build 
(this also lists the versions used):

https://travis-ci.org/mirage/qubes-mirage-firewall/builds/515629873

Hope that helps.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8e80a54d-a0b4-41cb-969e-01950f6f49a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-07 Thread Johannes Graumann

On Sat, 2019-04-06 at 06:31 -0700, Thomas Leonard wrote:
> I got a few emails about this. I'm going to answer the questions here
> because this is a community project and everyone should see the
> discussion.
> 
> Q: The build-with-docker script hard-codes /home/opam. What if your
> user has a different name?
> 
> The Docker build creates a virtual environment based on the
> `ocaml/opam2:debian-9-ocaml-4.07` image (template). In this image,
> the user is always called "opam".
> 
> Using Docker means that every build is exactly the same, regardless
> of whether you're using Fedora or Debian as the OS for your Qube. The
> build script contains the hash of the expected image, so you can be
> sure the unikernel you built is byte-for-byte identical with the one
> we built.
> 
> It also means that you don't have to install any special tools
> (except Docker itself). The build is isolated from your own files,
> except that it shares the `_build` directory, which is where you will
> find the output files.
> 
> Q: Can I build on Debian without using Docker?
> 
> Yes. I got it working with this:
> 
> sudo apt-get update
> sudo apt-get install rsync pkg-config git gcc make m4 patch unzip
> bubblewrap curl 0install-core
> 0install add opam http://tools.ocaml.org/opam.xml
> opam init --compiler=4.07.1 --disable-sandboxing
> eval $(opam env)
> opam install mirage
> mirage configure -t xen && make depend && make tar
> 
> Trying to keep these instructions up-to-date wastes a lot of
> volunteer time however, so I would much prefer people to use the
> Dockerfile if they have any problems building with their own OS.
> 
> Q: Why does installing opam without Docker want to modify my
> .profile?
> 
> So it can make commands such as `ocaml` point to the ones that it has
> installed in your home directory. If you're worried about what opam
> is doing to your system, I suggest using the build-with-docker script
> to sandbox everything.
> 
> Q: Do I need some standalone system that docker can 'mess up' and
> that I delete after build?
> 
> Feel free to create a `firewall-builder` VM for this if you don't
> trust Docker to sandbox things correctly in your existing qubes.
> 
> Q: You have binaries on the github site, but neither checksums nor
> signatures
> 
> There is a checksum in the build-with-docker file which should match
> the binary. In the case of the 0.5 release, you should see:
> 
> $ sha256sum vmlinuz 
> 1f72adad30cbd4f8315983240bd150811084cb93d360c14740fadb36394c7aa8 
>  vmlinuz
> 
> Perhaps future releases will come with signatures.
> 
> Q: Where can I ask questions about this?
> 
> - You can reply to this thread, where I will see it along with other
> Qubes users (I know several people here are using it; see previous
> discussions).
> - You can file issues at 
> https://github.com/mirage/qubes-mirage-firewall/issues
> - You can ask on the Mirage mailing list - see 
> https://mirage.io/community/
> - To report a security bug, see https://mirage.io/security

Has anyone tried to build using podman (https://podman.io/)?

Sincerely, Joh

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da7fca1ebeb57462df713096f0b82af15a4dfcfa.camel%40graumannschaft.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-06 Thread haaber


Hey Thomas,

I are right, it that was definitely better to put the FAQ on the site
(and this list). I did set up a standalone debian-10 to build, and the
process went through smoothly. Thank you. The 'but' comes now: BUT, in
the end the checksum fails!

sha256sum vmlinuz
570be5685298acb014cfaec132a35469e1cafbe2f731945dc5c57e8956e6638f

I stored the output of find . -type f -exec sha256sum \{} \;  of the
qubes-mirage-firewall folder in this file

https://framabin.org/p/?d9b2b5de724e5c2a#20uFbk/hVlaZnMqHYQ/DXjv9Lav3+Y8Fw7rU05k1IhY=

to avoid sending 260 lines here. If someone has recently build the
version 0.5, could you run a diff on that to see what happened ? Cheers,
Bernhard

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/beaa934c-efeb-a24e-96d1-b2c45e8a4c41%40web.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: qubes-mirage-firewall 0.5

2019-04-06 Thread Thomas Leonard

I got a few emails about this. I'm going to answer the questions here because
this is a community project and everyone should see the discussion.

Q: The build-with-docker script hard-codes /home/opam. What if your user has a
different name?

The Docker build creates a virtual environment based on the
`ocaml/opam2:debian-9-ocaml-4.07` image (template). In this image, the user is
always called "opam".

Using Docker means that every build is exactly the same, regardless of whether
you're using Fedora or Debian as the OS for your Qube. The build script
contains the hash of the expected image, so you can be sure the unikernel you
built is byte-for-byte identical with the one we built.

It also means that you don't have to install any special tools (except Docker
itself). The build is isolated from your own files, except that it shares the
`_build` directory, which is where you will find the output files.

Q: Can I build on Debian without using Docker?

Yes. I got it working with this:

sudo apt-get update
sudo apt-get install rsync pkg-config git gcc make m4 patch unzip
bubblewrap curl 0install-core
0install add opam http://tools.ocaml.org/opam.xml
opam init --compiler=4.07.1 --disable-sandboxing
eval $(opam env)
opam install mirage
mirage configure -t xen && make depend && make tar

Trying to keep these instructions up-to-date wastes a lot of volunteer time
however, so I would much prefer people to use the Dockerfile if they have any
problems building with their own OS.

Q: Why does installing opam without Docker want to modify my .profile?

So it can make commands such as `ocaml` point to the ones that it has installed
in your home directory. If you're worried about what opam is doing to your
system, I suggest using the build-with-docker script to sandbox everything.

Q: Do I need some standalone system that docker can 'mess up' and that I delete
after build?

Feel free to create a `firewall-builder` VM for this if you don't trust Docker
to sandbox things correctly in your existing qubes.

Q: You have binaries on the github site, but neither checksums nor signatures

There is a checksum in the build-with-docker file which should match the
binary. In the case of the 0.5 release, you should see:

$ sha256sum vmlinuz
1f72adad30cbd4f8315983240bd150811084cb93d360c14740fadb36394c7aa8 vmlinuz

Perhaps future releases will come with signatures.

Q: Where can I ask questions about this?

- You can reply to this thread, where I will see it along with other Qubes
users (I know several people here are using it; see previous discussions).
- You can file issues at https://github.com/mirage/qubes-mirage-firewall/issues
- You can ask on the Mirage mailing list - see https://mirage.io/community/
- To report a security bug, see https://mirage.io/security

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ea8b34c5-20ee-44db-acbe-c59ad22cc57c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

[qubes-users] Re: qubes-mirage-firewall 0.5

24 matches

Site Navigation

Mail list logo

Footer information