Debian template - request for testing
280 views
Skip to first unread message
Davíð Steinn Geirsson
Apr 16, 2014, 3:23:33 PM4/16/14
to qubes...@googlegroups.com, qubes...@googlegroups.com
Hi all,
Development on the debian template for qubes has been going very well
recently. Most important things are already working (AppVM, GUI, sound,
etc).
I would like it if interested people could try this out and let me know
how it goes. Did you have any problems getting it to work? Any specific
things you would like to see working?
I recommend trying it out with jessie (testing), as those packages are
furthest along. If you run the provided template builder with the
default settings, you should end up with a working jessie template.
Just make a copy of an existing template VM and replace the root.img
and private.img with the output of the templatebuilder. The template
builder works on both debian and fedora assuming the 'debootstrap'
program is installed.
You can find the debian packaging here:
http://dsg.is/qubes/
Best regards,
Davíð
Development on the debian template for qubes has been going very well
recently. Most important things are already working (AppVM, GUI, sound,
etc).
I would like it if interested people could try this out and let me know
how it goes. Did you have any problems getting it to work? Any specific
things you would like to see working?
I recommend trying it out with jessie (testing), as those packages are
furthest along. If you run the provided template builder with the
default settings, you should end up with a working jessie template.
Just make a copy of an existing template VM and replace the root.img
and private.img with the output of the templatebuilder. The template
builder works on both debian and fedora assuming the 'debootstrap'
program is installed.
You can find the debian packaging here:
http://dsg.is/qubes/
Best regards,
Davíð
Marek Marczykowski-Górecki
Apr 16, 2014, 3:59:10 PM4/16/14
to Davíð Steinn Geirsson, qubes...@googlegroups.com
make it possible to easily distribute and install the template - simple rpm
package instead of clonning existing template and replacing files.
[1] http://git.qubes-os.org/?p=marmarek/linux-template-builder.git;a=summary
[2] http://wiki.qubes-os.org/trac/wiki/BuildingNonFedoraTemplate
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Davíð Steinn Geirsson
Apr 16, 2014, 4:11:27 PM4/16/14
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Hi,
On Wed, 16 Apr 2014 21:59:10 +0200
Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
> On 16.04.2014 21:23, Davíð Steinn Geirsson wrote:
> > Hi all,
> >
> > Development on the debian template for qubes has been going very
> > well recently. Most important things are already working (AppVM,
> > GUI, sound, etc).
> >
> > I would like it if interested people could try this out and let me
> > know how it goes. Did you have any problems getting it to work? Any
> > specific things you would like to see working?
> >
> > I recommend trying it out with jessie (testing), as those packages
> > are furthest along. If you run the provided template builder with
> > the default settings, you should end up with a working jessie
> > template. Just make a copy of an existing template VM and replace
> > the root.img and private.img with the output of the
> > templatebuilder. The template builder works on both debian and
> > fedora assuming the 'debootstrap' program is installed.
>
> Are you going to integrate this into Qubes template-builder [1][2]?
> This will make it possible to easily distribute and install the
> template - simple rpm package instead of clonning existing template
> and replacing files.
Sure, I wasn't sure whether there was interest in pulling this into the
qubes repo so I just started by building a simple minimal template.
I'll try to integrate this into the qubes template-builder.
How do you think it would be best to handle the packages? Should we let
the template-builder setup a debian chroot to build the packages, build
a repo and install the built packages? Or would the qubes devs be
interested in running an APT repository with packages on
qubes-os.org, so we can just add the appropriate sources.list entry
during template-builder runs?
I rather prefer the second option as it means a built template can be
easily updated with apt-get right out of the box. But of course there
is a maintenance burden...
On Wed, 16 Apr 2014 21:59:10 +0200
Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
> On 16.04.2014 21:23, Davíð Steinn Geirsson wrote:
> > Hi all,
> >
> > Development on the debian template for qubes has been going very
> > well recently. Most important things are already working (AppVM,
> > GUI, sound, etc).
> >
> > I would like it if interested people could try this out and let me
> > know how it goes. Did you have any problems getting it to work? Any
> > specific things you would like to see working?
> >
> > I recommend trying it out with jessie (testing), as those packages
> > are furthest along. If you run the provided template builder with
> > the default settings, you should end up with a working jessie
> > template. Just make a copy of an existing template VM and replace
> > the root.img and private.img with the output of the
> > templatebuilder. The template builder works on both debian and
> > fedora assuming the 'debootstrap' program is installed.
>
> Are you going to integrate this into Qubes template-builder [1][2]?
> This will make it possible to easily distribute and install the
> template - simple rpm package instead of clonning existing template
> and replacing files.
qubes repo so I just started by building a simple minimal template.
I'll try to integrate this into the qubes template-builder.
How do you think it would be best to handle the packages? Should we let
the template-builder setup a debian chroot to build the packages, build
a repo and install the built packages? Or would the qubes devs be
interested in running an APT repository with packages on
qubes-os.org, so we can just add the appropriate sources.list entry
during template-builder runs?
I rather prefer the second option as it means a built template can be
easily updated with apt-get right out of the box. But of course there
is a maintenance burden...
cprise
Apr 16, 2014, 4:22:05 PM4/16/14
to Davíð Steinn Geirsson, qubes...@googlegroups.com, qubes...@googlegroups.com
Marek Marczykowski-Górecki
Apr 16, 2014, 4:42:55 PM4/16/14
to Davíð Steinn Geirsson, qubes...@googlegroups.com
But building template itself should use some local repository - same as other
templates.
>
>>
>> [1]
>> http://git.qubes-os.org/?p=marmarek/linux-template-builder.git;a=summary
>> [2] http://wiki.qubes-os.org/trac/wiki/BuildingNonFedoraTemplate
>>
>>> You can find the debian packaging here:
>>> http://dsg.is/qubes/
>>>
>>> Best regards,
>>> Davíð
>>>
>>
>>
>
Joanna Rutkowska
Apr 16, 2014, 5:38:00 PM4/16/14
to Marek Marczykowski-Górecki, Davíð Steinn Geirsson, qubes...@googlegroups.com
definitions:
1) templates-itl
2) templates-comunity (disabled by default)
... so if you could integrate your work with our template builder, then
we would be able to build it and upload a ready-to-download template to
templates-community repo for others to try.
All that would be need from the user's point of view then would be just
to type:
sudo qubes-dom0-update --enablerepo=qubes-templates-community
super-coold-debian-template
... in dom0 and sit back and watch the template being downloaded,
verified, and installed :)
joanna.
Tim hobbs
Apr 16, 2014, 7:11:33 PM4/16/14
to qubes...@googlegroups.com, Marek Marczykowski-Górecki, Davíð Steinn Geirsson
Wow, that sounds really great! :)
Tim
Tim
Julio Cabrera
Apr 17, 2014, 12:05:08 PM4/17/14
to qubes...@googlegroups.com, qubes...@googlegroups.com, da...@dsg.is
Qubes is awesome! Thank you
Davíð Steinn Geirsson
Apr 20, 2014, 10:57:07 AM4/20/14
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Hi Marek,
On Wed, 16 Apr 2014 22:42:55 +0200
I've got some changes to linux-template-builder.git to make a
qubes-ized debian template. It's kind of hacky because of this
requirement of building the packages as part of the template build -
first it debootstraps a temporary build environment, checks out the
qubes repos git with debian tags, verifies the tags and builds
the packages, before building the "regular" template.
The scripts currently break because the newest release of
qubes-gui-common.git (v2.0.2) is signed using an expired key
(42CFA724). Any chance you could spin a v2.0.3, even if there are no
changes, just to get a new tag signed with a non-expired key?
I've got a template out of the scripts if I comment out the signature
checks, but I'd prefer not to install it on the dom0 side in that
case... so a freshly-signed git tag would be appreciated :)
Once I've actually tested the resulting template, I'll submit the
patches here for review.
On Wed, 16 Apr 2014 22:42:55 +0200
qubes-ized debian template. It's kind of hacky because of this
requirement of building the packages as part of the template build -
first it debootstraps a temporary build environment, checks out the
qubes repos git with debian tags, verifies the tags and builds
the packages, before building the "regular" template.
The scripts currently break because the newest release of
qubes-gui-common.git (v2.0.2) is signed using an expired key
(42CFA724). Any chance you could spin a v2.0.3, even if there are no
changes, just to get a new tag signed with a non-expired key?
I've got a template out of the scripts if I comment out the signature
checks, but I'd prefer not to install it on the dom0 side in that
case... so a freshly-signed git tag would be appreciated :)
Once I've actually tested the resulting template, I'll submit the
patches here for review.
Outback Dingo
Apr 20, 2014, 12:47:23 PM4/20/14
to Davíð Steinn Geirsson, Marek Marczykowski-Górecki, qubes...@googlegroups.com
Id love to test this and get off fedora, This all sounds great, is the template available for download somewhere? or do we have to go through the process of building it ourselves?
And if so what caveats if any should we be aware of ?
Marek Marczykowski-Górecki
Apr 20, 2014, 1:35:08 PM4/20/14
to Davíð Steinn Geirsson, qubes...@googlegroups.com
On 20.04.2014 16:57, Davíð Steinn Geirsson wrote:
> I've got some changes to linux-template-builder.git to make a
> qubes-ized debian template. It's kind of hacky because of this
> requirement of building the packages as part of the template build -
> first it debootstraps a temporary build environment, checks out the
> qubes repos git with debian tags, verifies the tags and builds
> the packages, before building the "regular" template.
You do not need to build packages during template build.
> I've got some changes to linux-template-builder.git to make a
> qubes-ized debian template. It's kind of hacky because of this
> requirement of building the packages as part of the template build -
> first it debootstraps a temporary build environment, checks out the
> qubes repos git with debian tags, verifies the tags and builds
> the packages, before building the "regular" template.
Ideally you should build packages using qubes-builder (which can prepare build
environment using template-builder scripts), then build template itself.
But you can start with building template, using packages directly from your
apt repo.
The whole build process should look like this:
1. qubes-builder prepare build environment (prepare-chroot-* scripts)
2. qubes-builder builds all required packages (xen-vm, core-vchan-xen,
core-agent-linux, gui-common (includes), gui-agent-linux)
3. qubes-builder prepares local repo (apt) for template-builder
4. template-builder (called from qubes-builder) builds the template
The first step is very similar to building template itself, so can reuse
(call) the scripts from template-builder - check prepare-chroot-archlinux.
Which means you probably want to have working template-builder first - this is
why I suggest using already existing apt repo for that.
> The scripts currently break because the newest release of
> qubes-gui-common.git (v2.0.2) is signed using an expired key
> (42CFA724). Any chance you could spin a v2.0.3, even if there are no
> changes, just to get a new tag signed with a non-expired key?
> I've got a template out of the scripts if I comment out the signature
> checks, but I'd prefer not to install it on the dom0 side in that
> case... so a freshly-signed git tag would be appreciated :)
>
> Once I've actually tested the resulting template, I'll submit the
> patches here for review.
Davíð Steinn Geirsson
Apr 21, 2014, 10:08:50 AM4/21/14
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Hi,
Thanks, I misunderstood you earlier. This is much better, I'll rework
my patches based on this.
>
> > The scripts currently break because the newest release of
> > qubes-gui-common.git (v2.0.2) is signed using an expired key
> > (42CFA724). Any chance you could spin a v2.0.3, even if there are no
> > changes, just to get a new tag signed with a non-expired key?
>
> There is second tag (mm_b8c2bdb3) on this repo with new key. Isn't
> that enough?
With the way the packages are currently set up (quilt-based packages
using git-buildpackage), the git-buildpackage set of scripts will build
the upstream .tar.gz from the git tag matching the version given in the
debian/changelog. So currently it causes problems.
However, after thinking about this a bit more, I think a quilt-based
package may not be appropriate. If the plan is to include the debian
packaging in the qubes repositories, a native package would make this a
lot easier - then we don't need to deal with many branches and
creating .orig.tar.gz when the package is built. I might be able to
just copy the git repository previously used for the RPM build,
assuming that any signature checks have already been done for it.
It'll probably take me a few days to rework the packages. It also gives
me the oppurtunity to generalise the build packages so we can apply
them to the main repo instead of having all these patches as part of
the debian build, which should reduce the maintenance burden. Once it's
done, I'll send the patches. :)
b
my patches based on this.
>
> > The scripts currently break because the newest release of
> > qubes-gui-common.git (v2.0.2) is signed using an expired key
> > (42CFA724). Any chance you could spin a v2.0.3, even if there are no
> > changes, just to get a new tag signed with a non-expired key?
>
> There is second tag (mm_b8c2bdb3) on this repo with new key. Isn't
> that enough?
using git-buildpackage), the git-buildpackage set of scripts will build
the upstream .tar.gz from the git tag matching the version given in the
debian/changelog. So currently it causes problems.
However, after thinking about this a bit more, I think a quilt-based
package may not be appropriate. If the plan is to include the debian
packaging in the qubes repositories, a native package would make this a
lot easier - then we don't need to deal with many branches and
creating .orig.tar.gz when the package is built. I might be able to
just copy the git repository previously used for the RPM build,
assuming that any signature checks have already been done for it.
It'll probably take me a few days to rework the packages. It also gives
me the oppurtunity to generalise the build packages so we can apply
them to the main repo instead of having all these patches as part of
the debian build, which should reduce the maintenance burden. Once it's
done, I'll send the patches. :)
b
Davíð Steinn Geirsson
Apr 21, 2014, 10:18:25 AM4/21/14
to Outback Dingo, Marek Marczykowski-Górecki, qubes...@googlegroups.com
Hi,
On Sun, 20 Apr 2014 12:47:23 -0400
Outback Dingo <outbac...@gmail.com> wrote:
>
> Id love to test this and get off fedora, This all sounds great, is the
> template available for download somewhere? or do we have to go
> through the process of building it ourselves?
> And if so what caveats if any should we be aware of ?
>
There is no prebuilt template available. Joanna said that ITL are
planning to build the templates themselves, which is great news, so I
think the best course of action may be to wait until they are
available.
If you want to try this now, you can use the old template build script
at http://dsg.is/qubes/ - but you'll need to change the template at
some point, since this script is missing some customisations.
As for caveats, there's probably a lot of them, since this has gotten
only light testing. Using TemplateVMs and AppVMs works, and I haven't
had any stability problems. NetVM, ProxyVM and DispVM is untested and
probably won't work at this stage.
There is a problem with updating qubes-gui-agent as the agent gets
restarted during upgrade, which means all displayed applications
disappear until reboot - which is bad if you were performing the
upgrade through the GUI. For now I recommend doing updates to
qubes-gui-agent through either the Xen console or qvm-run -p.
In general, it probably doesn't make much sense to try this at this
stage unless you are reasonably comfortable with the command line (in
case something breaks), and you should definately have up-to-date
backups of any data you store in the VMs (but then, you should have
this anyway, for all your data ;)
On Sun, 20 Apr 2014 12:47:23 -0400
Outback Dingo <outbac...@gmail.com> wrote:
>
> Id love to test this and get off fedora, This all sounds great, is the
> template available for download somewhere? or do we have to go
> through the process of building it ourselves?
> And if so what caveats if any should we be aware of ?
>
planning to build the templates themselves, which is great news, so I
think the best course of action may be to wait until they are
available.
If you want to try this now, you can use the old template build script
at http://dsg.is/qubes/ - but you'll need to change the template at
some point, since this script is missing some customisations.
As for caveats, there's probably a lot of them, since this has gotten
only light testing. Using TemplateVMs and AppVMs works, and I haven't
had any stability problems. NetVM, ProxyVM and DispVM is untested and
probably won't work at this stage.
There is a problem with updating qubes-gui-agent as the agent gets
restarted during upgrade, which means all displayed applications
disappear until reboot - which is bad if you were performing the
upgrade through the GUI. For now I recommend doing updates to
qubes-gui-agent through either the Xen console or qvm-run -p.
In general, it probably doesn't make much sense to try this at this
stage unless you are reasonably comfortable with the command line (in
case something breaks), and you should definately have up-to-date
backups of any data you store in the VMs (but then, you should have
this anyway, for all your data ;)
Davíð Steinn Geirsson
May 4, 2014, 7:40:51 PM5/4/14
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Hi,
On Wed, 30 Apr 2014 14:13:13 +0200
Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
>
> Any progress? :)
Yes, I'm about to send the patchset I have. I'll send the patches for
each repo in a seperate mail so you can comment on them seperately.
There's plenty of room for improvement still.
Sound does not work currently, as qubes pulseaudio fails to start as
the system pulseaudio is already running. I'm trying to find a better
solution to this than to just kill the original pulseaudio as part of
start-pulseaudio-with-vchan as I previously did. Can't mess with the
conffiles of other packages.
The version is fixed to jessie (testing) right now.
Davíð
On Wed, 30 Apr 2014 14:13:13 +0200
Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
>
> Any progress? :)
Yes, I'm about to send the patchset I have. I'll send the patches for
each repo in a seperate mail so you can comment on them seperately.
There's plenty of room for improvement still.
Sound does not work currently, as qubes pulseaudio fails to start as
the system pulseaudio is already running. I'm trying to find a better
solution to this than to just kill the original pulseaudio as part of
start-pulseaudio-with-vchan as I previously did. Can't mess with the
conffiles of other packages.
The version is fixed to jessie (testing) right now.
Davíð
Marek Marczykowski-Górecki
May 4, 2014, 8:02:02 PM5/4/14
to Davíð Steinn Geirsson, qubes...@googlegroups.com
one instead... Is it really system daemon enabled by default in debian?
> The version is fixed to jessie (testing) right now.
>
> Davíð
>
Davíð Steinn Geirsson
May 4, 2014, 8:09:24 PM5/4/14
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
On Mon, 05 May 2014 02:02:02 +0200
using /etc/pulse/default.pa gets started first, so the qubes one
(using /etc/pulse/qubes-default.pa) will refuse to start. Previously I
did something like 'sleep 5; killall pulseaudio;' at the top of
start-pulseaudio-with-vchan, but I didn't add that to this patchset
since I want to implement a better solution. I just haven't gotten
around to it yet. :)
Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
> On 05.05.2014 01:40, Davíð Steinn Geirsson wrote:
> > Hi,
> >
> > On Wed, 30 Apr 2014 14:13:13 +0200
> > Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
> >>
> >> Any progress? :)
> >
> > Yes, I'm about to send the patchset I have. I'll send the patches
> > for each repo in a seperate mail so you can comment on them
> > seperately.
> >
> > There's plenty of room for improvement still.
> >
> > Sound does not work currently, as qubes pulseaudio fails to start as
> > the system pulseaudio is already running. I'm trying to find a
> > better solution to this than to just kill the original pulseaudio
> > as part of start-pulseaudio-with-vchan as I previously did. Can't
> > mess with the conffiles of other packages.
>
> Every pulseaudio doc recommends to _not_ run system daemon, but use
> session one instead... Is it really system daemon enabled by default
> in debian?
No, it's per-user session daemons, but the normal one
> On 05.05.2014 01:40, Davíð Steinn Geirsson wrote:
> > Hi,
> >
> > On Wed, 30 Apr 2014 14:13:13 +0200
> > Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
> >>
> >> Any progress? :)
> >
> > Yes, I'm about to send the patchset I have. I'll send the patches
> > for each repo in a seperate mail so you can comment on them
> > seperately.
> >
> > There's plenty of room for improvement still.
> >
> > Sound does not work currently, as qubes pulseaudio fails to start as
> > the system pulseaudio is already running. I'm trying to find a
> > better solution to this than to just kill the original pulseaudio
> > as part of start-pulseaudio-with-vchan as I previously did. Can't
> > mess with the conffiles of other packages.
>
> Every pulseaudio doc recommends to _not_ run system daemon, but use
> session one instead... Is it really system daemon enabled by default
> in debian?
using /etc/pulse/default.pa gets started first, so the qubes one
(using /etc/pulse/qubes-default.pa) will refuse to start. Previously I
did something like 'sleep 5; killall pulseaudio;' at the top of
start-pulseaudio-with-vchan, but I didn't add that to this patchset
since I want to implement a better solution. I just haven't gotten
around to it yet. :)
Franz
May 5, 2014, 6:12:18 AM5/5/14
to Davíð Steinn Geirsson, Marek Marczykowski-Górecki, qubes...@googlegroups.com
Perhaps it is better so. From a long time I was trying to get better audio through a usb audio card and was never able to get it working in Qubes. It may work in your configuration. There are plenty of usb audio cards working with linux, from very cheap and small to high quality. This is also supposed to solve the skype latency problem that disrupts audio quality as cprise noted. Also too much latency with some videos was mentioned as a problem in this mailing list. So please try to keep the present configuration so I can test it with some usb audio cards.
Best
Franz
Marek Marczykowski-Górecki
May 5, 2014, 6:39:33 AM5/5/14
to Franz, Davíð Steinn Geirsson, qubes...@googlegroups.com
Check this page:
http://wiki.qubes-os.org/trac/wiki/UserDoc/ConfigFiles#GUIandaudioconfigurationindom0
I've just added section about guid.conf, which include recently added
"audio_low_latency" setting.
Reply all
Reply to author
Forward
0 new messages