debian template
102 views
Skip to first unread message
HW42
Nov 3, 2014, 11:13:27 PM11/3/14
to qubes...@googlegroups.com
Hi,
I worked a bit on the debian template.
My changes consist mainly in making the fedora systemd services running
under Debian (I know Marek has started doing something similar).
These changes should enable debian-templates to be used as netvm,
proxyvm, dispvm.
You can get it from here (only via git. no gitweb):
https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
https://git.ipsumj.de/hw42/qubes/linux-utils.git
There are two tags. hw42_debian-systemd-1 are my original changes which
are better tested. hw42_debian-systemd-2 are merged with the latest
changes from Marek. These should also work well (I'm writing this Email
with a VM based on them) but are less tested.
Please note that I have tested my changes only in my custom debian
unstable template (and some quick test on the "official" debian
template). I originally planed to test it better but since Marek and the
whonix-guys seems to do similar work as I have already done I thought
its better to publish it now.
A lot of the incompatibility were simple path miss matches (especially
xenstore-*). I simply removed the absolute paths - Are there any good
reasons to hardcode the paths?
0d0261d is not backward compatible. So if you downgrade the packages you
have to undo it manually.
Some things are still missing:
- update proxy in netvm.
- NetworkManager is untested since I don't use it.
- App-Menus
- ...
HW42
PS: Some notes on how to verify my Code:
The git tags are signed my Qubes-Code-Signing-Key [0]. This key can be
downloaded here [1]. It's signed by my email-Key [2]. Since I don't
known anybody of the Qubes project personally the verification of this
key is a bit tricky. All my signed emails to this list (not all are
signed) should be signed by this key.
The https-downloads (the repo and the key) can be verified by my private
CA [3] which should be verifiable via DNSSEC/DANE.
[0]: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
[1]: https://ipsumj.de/hw42.asc
[2]: AA27 B2CE F3A6 8BD1 4669 0713 E4AC C927 8A64 6816
[3]: https://ipsumj.de/ipsumj_ca_cert.pem
https://ipsumj.de/ipsumj_ca_cert.pem.sig
(If you want to verify against my email key [2])
I worked a bit on the debian template.
My changes consist mainly in making the fedora systemd services running
under Debian (I know Marek has started doing something similar).
These changes should enable debian-templates to be used as netvm,
proxyvm, dispvm.
You can get it from here (only via git. no gitweb):
https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
https://git.ipsumj.de/hw42/qubes/linux-utils.git
There are two tags. hw42_debian-systemd-1 are my original changes which
are better tested. hw42_debian-systemd-2 are merged with the latest
changes from Marek. These should also work well (I'm writing this Email
with a VM based on them) but are less tested.
Please note that I have tested my changes only in my custom debian
unstable template (and some quick test on the "official" debian
template). I originally planed to test it better but since Marek and the
whonix-guys seems to do similar work as I have already done I thought
its better to publish it now.
A lot of the incompatibility were simple path miss matches (especially
xenstore-*). I simply removed the absolute paths - Are there any good
reasons to hardcode the paths?
0d0261d is not backward compatible. So if you downgrade the packages you
have to undo it manually.
Some things are still missing:
- update proxy in netvm.
- NetworkManager is untested since I don't use it.
- App-Menus
- ...
HW42
PS: Some notes on how to verify my Code:
The git tags are signed my Qubes-Code-Signing-Key [0]. This key can be
downloaded here [1]. It's signed by my email-Key [2]. Since I don't
known anybody of the Qubes project personally the verification of this
key is a bit tricky. All my signed emails to this list (not all are
signed) should be signed by this key.
The https-downloads (the repo and the key) can be verified by my private
CA [3] which should be verifiable via DNSSEC/DANE.
[0]: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
[1]: https://ipsumj.de/hw42.asc
[2]: AA27 B2CE F3A6 8BD1 4669 0713 E4AC C927 8A64 6816
[3]: https://ipsumj.de/ipsumj_ca_cert.pem
https://ipsumj.de/ipsumj_ca_cert.pem.sig
(If you want to verify against my email key [2])
HW42
Nov 3, 2014, 11:16:39 PM11/3/14
to qubes...@googlegroups.com
HW42:
core-agent-linux tag hw42_debian-systemd-3.
> Hi,
>
> I worked a bit on the debian template.
>
> My changes consist mainly in making the fedora systemd services running
> under Debian (I know Marek has started doing something similar).
>
> These changes should enable debian-templates to be used as netvm,
> proxyvm, dispvm.
>
> You can get it from here (only via git. no gitweb):
>
> https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
> https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
> https://git.ipsumj.de/hw42/qubes/linux-utils.git
>
> There are two tags. hw42_debian-systemd-1 are my original changes which
> are better tested. hw42_debian-systemd-2 are merged with the latest
> changes from Marek. These should also work well (I'm writing this Email
> with a VM based on them) but are less tested.
>
> Please note that I have tested my changes only in my custom debian
> unstable template (and some quick test on the "official" debian
> template). I originally planed to test it better but since Marek and the
> whonix-guys seems to do similar work as I have already done I thought
> its better to publish it now.
I just noticed that I have missed to depend on xen-utils. See
>
> I worked a bit on the debian template.
>
> My changes consist mainly in making the fedora systemd services running
> under Debian (I know Marek has started doing something similar).
>
> These changes should enable debian-templates to be used as netvm,
> proxyvm, dispvm.
>
> You can get it from here (only via git. no gitweb):
>
> https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
> https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
> https://git.ipsumj.de/hw42/qubes/linux-utils.git
>
> There are two tags. hw42_debian-systemd-1 are my original changes which
> are better tested. hw42_debian-systemd-2 are merged with the latest
> changes from Marek. These should also work well (I'm writing this Email
> with a VM based on them) but are less tested.
>
> Please note that I have tested my changes only in my custom debian
> unstable template (and some quick test on the "official" debian
> template). I originally planed to test it better but since Marek and the
> whonix-guys seems to do similar work as I have already done I thought
> its better to publish it now.
core-agent-linux tag hw42_debian-systemd-3.
Jason M
Nov 4, 2014, 1:10:19 AM11/4/14
to qubes...@googlegroups.com, hw...@ipsumj.de
On Monday, November 3, 2014 11:13:27 PM UTC-5, HW42 wrote:
Hi,
I worked a bit on the debian template.
My changes consist mainly in making the fedora systemd services running
under Debian (I know Marek has started doing something similar).
These changes should enable debian-templates to be used as netvm,
proxyvm, dispvm.
You can get it from here (only via git. no gitweb):
https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
https://git.ipsumj.de/hw42/qubes/linux-utils.git
Are these URL's correct? I am getting 404 errors.
I just finished writing the postinst code for core-agent-linux on the weekend and want to make sure we don't have any conflicts since the new template code relies on it.
I will also make sure that the current implementation of debian template works with your other module changes. Maybe there will be some code that can be removed from the templates now
HW42
Nov 4, 2014, 5:23:45 AM11/4/14
to Jason M, qubes...@googlegroups.com
Jason M:
for example $url/HEAD works.
Have you tried git clone $url.
>
>
> On Monday, November 3, 2014 11:13:27 PM UTC-5, HW42 wrote:
>>
>> Hi,
>>
>> I worked a bit on the debian template.
>>
>> My changes consist mainly in making the fedora systemd services running
>> under Debian (I know Marek has started doing something similar).
>>
>> These changes should enable debian-templates to be used as netvm,
>> proxyvm, dispvm.
>>
>> You can get it from here (only via git. no gitweb):
>>
>> https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
>> https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
>> https://git.ipsumj.de/hw42/qubes/linux-utils.git
>>
>
> Are these URL's correct? I am getting 404 errors.
>
> I just finished writing the postinst code for core-agent-linux on the
> weekend and want to make sure we don't have any conflicts since the new
> template code relies on it.
>
> I will also make sure that the current implementation of debian template
> works with your other module changes. Maybe there will be some code that
> can be removed from the templates now
As stated there is not gitweb or similiar i.e. $url will throw a 404 but
>
> On Monday, November 3, 2014 11:13:27 PM UTC-5, HW42 wrote:
>>
>> Hi,
>>
>> I worked a bit on the debian template.
>>
>> My changes consist mainly in making the fedora systemd services running
>> under Debian (I know Marek has started doing something similar).
>>
>> These changes should enable debian-templates to be used as netvm,
>> proxyvm, dispvm.
>>
>> You can get it from here (only via git. no gitweb):
>>
>> https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
>> https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
>> https://git.ipsumj.de/hw42/qubes/linux-utils.git
>>
>
> Are these URL's correct? I am getting 404 errors.
>
> I just finished writing the postinst code for core-agent-linux on the
> weekend and want to make sure we don't have any conflicts since the new
> template code relies on it.
>
> I will also make sure that the current implementation of debian template
> works with your other module changes. Maybe there will be some code that
> can be removed from the templates now
for example $url/HEAD works.
Have you tried git clone $url.
nrgaway
Nov 4, 2014, 5:36:13 AM11/4/14
to HW42, qubes...@googlegroups.com
On Tue, Nov 4, 2014 at 5:23 AM, HW42 <hw...@ipsumj.de> wrote:
Jason M:
>
>
> On Monday, November 3, 2014 11:13:27 PM UTC-5, HW42 wrote:
>>
>> Hi,
>>
>> I worked a bit on the debian template.
>>
>> My changes consist mainly in making the fedora systemd services running
>> under Debian (I know Marek has started doing something similar).
>>
>> These changes should enable debian-templates to be used as netvm,
>> proxyvm, dispvm.
>>
>> You can get it from here (only via git. no gitweb):
>>
>> https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
>> https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
>> https://git.ipsumj.de/hw42/qubes/linux-utils.git
>>
>
> Are these URL's correct? I am getting 404 errors.
>
> I just finished writing the postinst code for core-agent-linux on the
> weekend and want to make sure we don't have any conflicts since the new
> template code relies on it.
>
> I will also make sure that the current implementation of debian template
> works with your other module changes. Maybe there will be some code that
> can be removed from the templates now
As stated there is not gitweb or similiar i.e. $url will throw a 404 but
for example $url/HEAD works.
Have you tried git clone $url.
Yes I did try that. Here is the output:
user@development-qubes:~/src$ git clone https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
Cloning into 'gui-agent-linux'...
fatal: unable to access 'https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git/': Peer's Certificate issuer is not recognized.
user@development-qubes:~/src$ git clone https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
Cloning into 'gui-agent-linux'...
fatal: unable to access 'https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git/': Peer's Certificate issuer is not recognized.
I think there is a way to ignore certificate in git although I have never needed to do that before so I will look into it tomorrow :)
Marek Marczykowski-Górecki
Nov 4, 2014, 11:04:37 PM11/4/14
to HW42, qubes...@googlegroups.com
On Tue, Nov 04, 2014 at 06:02:31AM +0100, HW42 wrote:
> HW42:
> > HW42:
> >> Hi,
> >>
> >> I worked a bit on the debian template.
> >>
> >> My changes consist mainly in making the fedora systemd services running
> >> under Debian (I know Marek has started doing something similar).
> >>
> >> These changes should enable debian-templates to be used as netvm,
> >> proxyvm, dispvm.
:)
> HW42:
> > HW42:
> >> Hi,
> >>
> >> I worked a bit on the debian template.
> >>
> >> My changes consist mainly in making the fedora systemd services running
> >> under Debian (I know Marek has started doing something similar).
> >>
> >> These changes should enable debian-templates to be used as netvm,
> >> proxyvm, dispvm.
> >> You can get it from here (only via git. no gitweb):
> >>
> >> https://git.ipsumj.de/hw42/qubes/gui-agent-linux.git
dependency, so I've just cherry-picked this commit. Pushed to master.
> >> https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
This is more complicated, because of similar job done by nrgaway (in
process of porting whonix). But the only conflict was postinst script
name, so it was easy to merge.
All the changes pushed to "debian" branch in my repo for some testing,
when successful, will merge to master (after disabling debugging code).
> >> https://git.ipsumj.de/hw42/qubes/linux-utils.git
This one merged directly to master, as looks pretty simple.
> >> There are two tags. hw42_debian-systemd-1 are my original changes which
> >> are better tested. hw42_debian-systemd-2 are merged with the latest
> >> changes from Marek. These should also work well (I'm writing this Email
> >> with a VM based on them) but are less tested.
> >>
> >> Please note that I have tested my changes only in my custom debian
> >> unstable template (and some quick test on the "official" debian
> >> template). I originally planed to test it better but since Marek and the
> >> whonix-guys seems to do similar work as I have already done I thought
> >> its better to publish it now.
> >
> > I just noticed that I have missed to depend on xen-utils. See
> > core-agent-linux tag hw42_debian-systemd-3.
> >> A lot of the incompatibility were simple path miss matches (especially
> >> xenstore-*). I simply removed the absolute paths - Are there any good
> >> reasons to hardcode the paths?
> >>
> >> 0d0261d is not backward compatible. So if you downgrade the packages you
> >> have to undo it manually.
> >>
> >> Some things are still missing:
> >> - update proxy in netvm.
> >> - NetworkManager is untested since I don't use it.
> >> - App-Menus
>
> see tag hw42_appmenus (core-agent-linux) for working App-Menus.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Marek Marczykowski-Górecki
Nov 4, 2014, 11:16:28 PM11/4/14
to HW42, qubes...@googlegroups.com
On Wed, Nov 05, 2014 at 05:04:28AM +0100, Marek Marczykowski-Górecki wrote:
> On Tue, Nov 04, 2014 at 06:02:31AM +0100, HW42 wrote:
> > HW42:
> > > HW42:
> On Tue, Nov 04, 2014 at 06:02:31AM +0100, HW42 wrote:
> > HW42:
> > > HW42:
> > >> https://git.ipsumj.de/hw42/qubes/core-agent-linux.git
>
> This is more complicated, because of similar job done by nrgaway (in
> process of porting whonix). But the only conflict was postinst script
> name, so it was easy to merge.
>
> All the changes pushed to "debian" branch in my repo for some testing,
> when successful, will merge to master (after disabling debugging code).
Ok, first noticed problem: after package upgrade (not fresh template
>
> This is more complicated, because of similar job done by nrgaway (in
> process of porting whonix). But the only conflict was postinst script
> name, so it was easy to merge.
>
> All the changes pushed to "debian" branch in my repo for some testing,
> when successful, will merge to master (after disabling debugging code).
install), /etc/hosts have "127\.0\.1\.1 my_hostname" line. Fixed in my
repo.
Jason M
Nov 8, 2014, 8:49:40 PM11/8/14
to qubes...@googlegroups.com, nrg...@gmail.com, hw...@ipsumj.de
@HW42 Thanks, your modifications worked out beautifully. I have incorporated changed in the templates to make use of them.
It will be nice to be able to use a fully functional Debian based template.
cprise
Jan 22, 2015, 12:51:39 AM1/22/15
to Jason M, qubes...@googlegroups.com, hw...@ipsumj.de
Could you give a status on the Debian templates?
Debian 8 appears to have stalled and cannot be used in certain roles like proxyVM. Debian 7 appears to be fully functional but has only been released for whonix-qubes experimental (a standalone debian template package would be awesome).
Both appear to be waiting for Qubes updates.
Debian 8 appears to have stalled and cannot be used in certain roles like proxyVM. Debian 7 appears to be fully functional but has only been released for whonix-qubes experimental (a standalone debian template package would be awesome).
Both appear to be waiting for Qubes updates.
nrgaway
Jan 22, 2015, 1:38:02 AM1/22/15
to cprise, qubes...@googlegroups.com, HW42
I have been working on both the Debian 7 and 8 templates as well as trusty and utopic. They are all almost complete :)
cprise
Jan 22, 2015, 12:39:41 PM1/22/15
to nrgaway, qubes...@googlegroups.com, HW42
Sounds great... Thanks for the work and debugging you guys are doing
on the templates!
I'm definitely interested in a utopic (LTS) template and may use that instead of debian. I didn't realize the work on Ubuntu was going that quick, but I suppose the changes needed for debian carried over to Ubuntu.
One concern I have is the security of the template builder downloads from git (which only uses SHA-1 for hashing), so I'd much prefer to have you build it and upload the rpm to the repo.
I'm definitely interested in a utopic (LTS) template and may use that instead of debian. I didn't realize the work on Ubuntu was going that quick, but I suppose the changes needed for debian carried over to Ubuntu.
One concern I have is the security of the template builder downloads from git (which only uses SHA-1 for hashing), so I'd much prefer to have you build it and upload the rpm to the repo.
Reply all
Reply to author
Forward
0 new messages