creating non-Fedora NetVMs and FirewallVMs
68 views
Skip to first unread message
Jake
Feb 13, 2015, 7:00:24 AM2/13/15
to qubes...@googlegroups.com
i am trying to manually setup netvms and firewallvms from scratch using
a non-fedora OS (bitrig) and encountering some issues, e.g. it appears
you cannot use a hvm template when doing this. i did find and read this
recent (1 week ago) thread about openwrt as a netvm
http://marc.info/?l=qubes-users&m=142324288623841&w=2
but the information about what you can and cannot do with qubes
currently appears somewhat piecemeal. from this thread i was able to glean
- qubes does not support hvm for netvm, potentially on roadmap for R3.2
- one can create a standalone vm based on a template, then replace its
root.img (not 100% clear on how this works)
- if you're trying to boot linux, you can "hotwire" the kernel being
booted using /var/lib/qubes/qubes.xml to avoid it booting the usual
fedora kernel and ramdisk
is this summary valid or are there additional knobs one can turn here?
as best i can tell, my desired use case requires having an hvm for a
netvm and firewallvm. it would be really helpful to know
- does the same rule about not being able to use a hvm for a netvm apply
to firewallvms?
- if i can run a hvm as a firewallvm, what series of steps must i take?
i have a hvm template that i would like to use, but i expect i will have
to create a standalone hvm based on the template
clues appreciated, thanks for reading.
regards,
jake
a non-fedora OS (bitrig) and encountering some issues, e.g. it appears
you cannot use a hvm template when doing this. i did find and read this
recent (1 week ago) thread about openwrt as a netvm
http://marc.info/?l=qubes-users&m=142324288623841&w=2
but the information about what you can and cannot do with qubes
currently appears somewhat piecemeal. from this thread i was able to glean
- qubes does not support hvm for netvm, potentially on roadmap for R3.2
- one can create a standalone vm based on a template, then replace its
root.img (not 100% clear on how this works)
- if you're trying to boot linux, you can "hotwire" the kernel being
booted using /var/lib/qubes/qubes.xml to avoid it booting the usual
fedora kernel and ramdisk
is this summary valid or are there additional knobs one can turn here?
as best i can tell, my desired use case requires having an hvm for a
netvm and firewallvm. it would be really helpful to know
- does the same rule about not being able to use a hvm for a netvm apply
to firewallvms?
- if i can run a hvm as a firewallvm, what series of steps must i take?
i have a hvm template that i would like to use, but i expect i will have
to create a standalone hvm based on the template
clues appreciated, thanks for reading.
regards,
jake
J.M. Porup
Feb 13, 2015, 7:59:46 AM2/13/15
to qubes...@googlegroups.com
I've been using split gpg for a while with no trouble.
today I discovered that I could send encrypted email, but not signed
email. this left me scratching my head, because the error enigmail gives
me is a popup with the message:
Send operation aborted.
Error - encryption command failed
I am manually forcing no encryption and forcing signing. A look around
the enigmail support forums suggest the solution is to select "Use
specific OpenPGP key ID" instead of "Use email address of this identity..."
However, qubes-split-gpg-wrapper does not seem to populate this list of
key IDs.
Any idea how to do this? (Or other solution to the problem?)
thanks
JMP
today I discovered that I could send encrypted email, but not signed
email. this left me scratching my head, because the error enigmail gives
me is a popup with the message:
Send operation aborted.
Error - encryption command failed
I am manually forcing no encryption and forcing signing. A look around
the enigmail support forums suggest the solution is to select "Use
specific OpenPGP key ID" instead of "Use email address of this identity..."
However, qubes-split-gpg-wrapper does not seem to populate this list of
key IDs.
Any idea how to do this? (Or other solution to the problem?)
thanks
JMP
Axon
Feb 13, 2015, 8:50:26 AM2/13/15
to J.M. Porup, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
J.M. Porup wrote:
> I've been using split gpg for a while with no trouble.
>
> today I discovered that I could send encrypted email, but not
> signed email. this left me scratching my head, because the error
> enigmail gives me is a popup with the message:
>
> Send operation aborted.
>
> Error - encryption command failed
>
> I am manually forcing no encryption and forcing signing. A look
> around the enigmail support forums suggest the solution is to
> select "Use specific OpenPGP key ID" instead of "Use email address
> of this identity..."
>
Yes, this should work if you manually enter your key ID.
> However, qubes-split-gpg-wrapper does not seem to populate this
> list of key IDs.
>
> Any idea how to do this? (Or other solution to the problem?)
>
> thanks JMP
>
>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJU3gEOAAoJEJh4Btx1RPV8vSAP/j7+dlA70/fP2kKxENtnQTFx
G4HHlY8ZZdElapi9UGpbllFkoQdTQeuwdGq7eFJ8111FUhxd0IsZHJFRZD5Ozp/F
5W5iYm5xJByeiGjVWj2E6Hsm9d1w84mjo5ZrsS12Z6RoU2efEurFfk6W/wetR2QW
mRpEKazAGGAGvVy/7vGrNQ9Gw7npDpEpwDpaXgkzSupIwSjpvbREJzsbZBYb1mPU
Ra88zDOyNczRXOX+ViUKBxGYfH0RNMYpE89/YDJK+CDukeE/RhwY642pHBDEePXT
WbZn9GMERz2dPT6hb36oDmsa09kIJxfFO0vna2ipU73Kt2EUq8GkftfAHy853am3
0ElgRpc4RKgW9Y5iN5GHL6xvwrNWp3hM4O0Wt4KMXc4IIdxOlDKyw/2KOpgJvgE5
Sr18THcliFpJr3eqNpxzG2RpJlB4kKgym02QDT4UdGvBc6WOhlTT5wk3Zl/CJFZ2
p1Q9EMzWnKYBOxC7rlOire1DlMtHgaP8nK70VE6kdRXb5Ak3W1KNjbjfGMrEi1Rt
LbQuIhZ9oI4em/09i8X54RCKh35/1FTPwprFqgvsiJwTvhgIQmWOxvhbpWBzNKGv
Z/hlbCOy9/i5M7v2ppdMD5LEPFp/StTnRU9TR9SIt4urEEkjwzwXRHMyrnP5Itn2
7c1/pmMvhZdSQMPmUAC2
=MkMT
-----END PGP SIGNATURE-----
Hash: SHA512
J.M. Porup wrote:
> I've been using split gpg for a while with no trouble.
>
> today I discovered that I could send encrypted email, but not
> signed email. this left me scratching my head, because the error
> enigmail gives me is a popup with the message:
>
> Send operation aborted.
>
> Error - encryption command failed
>
> I am manually forcing no encryption and forcing signing. A look
> around the enigmail support forums suggest the solution is to
> select "Use specific OpenPGP key ID" instead of "Use email address
> of this identity..."
>
> However, qubes-split-gpg-wrapper does not seem to populate this
> list of key IDs.
>
> Any idea how to do this? (Or other solution to the problem?)
>
> thanks JMP
>
>
iQIcBAEBCgAGBQJU3gEOAAoJEJh4Btx1RPV8vSAP/j7+dlA70/fP2kKxENtnQTFx
G4HHlY8ZZdElapi9UGpbllFkoQdTQeuwdGq7eFJ8111FUhxd0IsZHJFRZD5Ozp/F
5W5iYm5xJByeiGjVWj2E6Hsm9d1w84mjo5ZrsS12Z6RoU2efEurFfk6W/wetR2QW
mRpEKazAGGAGvVy/7vGrNQ9Gw7npDpEpwDpaXgkzSupIwSjpvbREJzsbZBYb1mPU
Ra88zDOyNczRXOX+ViUKBxGYfH0RNMYpE89/YDJK+CDukeE/RhwY642pHBDEePXT
WbZn9GMERz2dPT6hb36oDmsa09kIJxfFO0vna2ipU73Kt2EUq8GkftfAHy853am3
0ElgRpc4RKgW9Y5iN5GHL6xvwrNWp3hM4O0Wt4KMXc4IIdxOlDKyw/2KOpgJvgE5
Sr18THcliFpJr3eqNpxzG2RpJlB4kKgym02QDT4UdGvBc6WOhlTT5wk3Zl/CJFZ2
p1Q9EMzWnKYBOxC7rlOire1DlMtHgaP8nK70VE6kdRXb5Ak3W1KNjbjfGMrEi1Rt
LbQuIhZ9oI4em/09i8X54RCKh35/1FTPwprFqgvsiJwTvhgIQmWOxvhbpWBzNKGv
Z/hlbCOy9/i5M7v2ppdMD5LEPFp/StTnRU9TR9SIt4urEEkjwzwXRHMyrnP5Itn2
7c1/pmMvhZdSQMPmUAC2
=MkMT
-----END PGP SIGNATURE-----
J.M. Porup
Feb 13, 2015, 9:03:12 AM2/13/15
to Axon, qubes...@googlegroups.com
Axon:
and then choose from the offered choices...and none of the keys on my
keyring (including my own) appear in that popup.
or maybe i'm missing something here?
JMP
> J.M. Porup wrote:
>> I've been using split gpg for a while with no trouble.
>
>> today I discovered that I could send encrypted email, but not
>> signed email. this left me scratching my head, because the error
>> enigmail gives me is a popup with the message:
>
>> Send operation aborted.
>
>> Error - encryption command failed
>
>> I am manually forcing no encryption and forcing signing. A look
>> around the enigmail support forums suggest the solution is to
>> select "Use specific OpenPGP key ID" instead of "Use email
>> address of this identity..."
>
>
> Yes, this should work if you manually enter your key ID.
the field does not accept manual entry. you have to click "Select Key"
>> I've been using split gpg for a while with no trouble.
>
>> today I discovered that I could send encrypted email, but not
>> signed email. this left me scratching my head, because the error
>> enigmail gives me is a popup with the message:
>
>> Send operation aborted.
>
>> Error - encryption command failed
>
>> I am manually forcing no encryption and forcing signing. A look
>> around the enigmail support forums suggest the solution is to
>> select "Use specific OpenPGP key ID" instead of "Use email
>> address of this identity..."
>
>
> Yes, this should work if you manually enter your key ID.
and then choose from the offered choices...and none of the keys on my
keyring (including my own) appear in that popup.
or maybe i'm missing something here?
JMP
Axon
Feb 13, 2015, 10:08:08 AM2/13/15
to J.M. Porup, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
J.M. Porup wrote:
Hash: SHA512
J.M. Porup wrote:
If you're using the latest version of Enigmail and you check the Debug
Log when you click on "Select Key...," you should see something like this:
> enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --with-fingerprint --fixed-list-mode --with-colons --list-secret-keys
>
> enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --fixed-list-mode --with-colons --list-keys <key id>
> open: No such file or directory
which seems to be a more general instance of this bug:
https://wiki.qubes-os.org/ticket/900
(I've updated that ticket with a link to this thread.)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJU3hNDAAoJEJh4Btx1RPV8WM8QALp8C4Lmbzo39IgXcIMCfHJv
Jz+W7jsLre1Y3NWE2FHUJ5kmiFIMohs7g6o4q5Ok/B5mCp+G/oWfvsMTbMxvRjXz
hb28g0mydFWQfQnKtXoFYtRyebv9hx0h7JmLyR0UZ17ZnomdQ7m0i0mgR+mUpGa7
NghUdvvLSF+TVNqHGGV4LYGUFVTfrRdpcMKWNvY5TqsX9ixkCyqgU3pKaIxSIblJ
F9vPSxogEMZzYeMLivvoZ0zHYdv21TCX4BLRecBGillWClUHC77zMqh7nasArVIQ
o8jUn857j4RJYAM9+bdTdGPxfbc/MntMjA4zkTBipidXz6Lvsm7lfRXg4Ms4wMVe
GTUJ1CTF2CWnkRmyhSczETavDIsrsTMPWWep7Ania+BIBJ3+NFDtlKvzz3rEHUnN
imCy1AD1GakEYWk/k6xcAiXtB5uY7C+JV4snrQpOjh142jGhUpRHbbD4Sg4DNqfh
FLZHNDitkwu9GcRcDYlP947mytB24drBxqTJCCkVWNLwk7cMiNtzF92r9GemmGLW
dZnRNFKDk0Sd5rTBxy4M1W9REg/vaK6BK+aMBCbgtkhskg9xVV5+e+fZL1zF9gEH
D5BIhjgb49gB6NGbDOrkCpjtLW6RjDcBLh0eC1jA2dnoEfAGBlQ+Owe0X8HO9upz
HxPrVlNU4DoGxP/nGJun
=3JpW
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages