qubes-mirage-firewall 0.5
Thomas Leonard
https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.5
This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It may be useful if you want something smaller or faster-to-start than the Linux-based sys-firewall. It requires around 32MB of RAM when running and requires 0.0s of CPU time to boot, according to "xl list". It does not need or use a hard-disk, and does not persist any state between reboots.
For installation instructions, see:
https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md
For a blog post explaining the background for this, with a walk-through of the code (it's written in OCaml), see:
http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
Changes since 0.4:
- Update to the latest mirage-net-xen, mirage-nat and tcpip libraries (@yomimono, @talex5, #45, #47). In iperf benchmarks between a client VM and sys-net, this more than doubled the reported bandwidth!
- Don't wait for the Qubes GUI daemon to connect before attaching client VMs (@talex5, #38). If the firewall is restarted while AppVMs are connected, qubesd tries to reconnect them before starting the GUI agent. However, the firewall was waiting for the GUI agent to connect before handling the connections. This led to a 10s delay on restart for each client VM. Reported by @xaki23.
- Add stub makefile for qubes-builder (@xaki23, #37).
- Update build instructions for latest Fedora (@talex5, #36). yum no longer exists. Also, show how to create a symlink for /var/lib/docker on build VMs that aren't standalone. Reported by @xaki23.
- Add installation instructions for Qubes 4 (@yomimono, @reynir, @talex5, #27).
- Use Ethernet_wire.sizeof_ethernet instead of a magic 14 (@hannesm, #46).
Note that the repository has moved from github.com/talex5 to the github.com/mirage organisation, as it's no longer just my personal project.
Thomas Leonard
Q: The build-with-docker script hard-codes /home/opam. What if your user has a different name?
The Docker build creates a virtual environment based on the `ocaml/opam2:debian-9-ocaml-4.07` image (template). In this image, the user is always called "opam".
Using Docker means that every build is exactly the same, regardless of whether you're using Fedora or Debian as the OS for your Qube. The build script contains the hash of the expected image, so you can be sure the unikernel you built is byte-for-byte identical with the one we built.
It also means that you don't have to install any special tools (except Docker itself). The build is isolated from your own files, except that it shares the `_build` directory, which is where you will find the output files.
Q: Can I build on Debian without using Docker?
Yes. I got it working with this:
sudo apt-get update
sudo apt-get install rsync pkg-config git gcc make m4 patch unzip bubblewrap curl 0install-core
0install add opam http://tools.ocaml.org/opam.xml
opam init --compiler=4.07.1 --disable-sandboxing
eval $(opam env)
opam install mirage
mirage configure -t xen && make depend && make tar
Trying to keep these instructions up-to-date wastes a lot of volunteer time however, so I would much prefer people to use the Dockerfile if they have any problems building with their own OS.
Q: Why does installing opam without Docker want to modify my .profile?
So it can make commands such as `ocaml` point to the ones that it has installed in your home directory. If you're worried about what opam is doing to your system, I suggest using the build-with-docker script to sandbox everything.
Q: Do I need some standalone system that docker can 'mess up' and that I delete after build?
Feel free to create a `firewall-builder` VM for this if you don't trust Docker to sandbox things correctly in your existing qubes.
Q: You have binaries on the github site, but neither checksums nor signatures
There is a checksum in the build-with-docker file which should match the binary. In the case of the 0.5 release, you should see:
$ sha256sum vmlinuz
1f72adad30cbd4f8315983240bd150811084cb93d360c14740fadb36394c7aa8 vmlinuz
Perhaps future releases will come with signatures.
Q: Where can I ask questions about this?
- You can reply to this thread, where I will see it along with other Qubes users (I know several people here are using it; see previous discussions).
- You can file issues at https://github.com/mirage/qubes-mirage-firewall/issues
- You can ask on the Mirage mailing list - see https://mirage.io/community/
- To report a security bug, see https://mirage.io/security
haaber
I are right, it that was definitely better to put the FAQ on the site
(and this list). I did set up a standalone debian-10 to build, and the
process went through smoothly. Thank you. The 'but' comes now: BUT, in
the end the checksum fails!
sha256sum vmlinuz
570be5685298acb014cfaec132a35469e1cafbe2f731945dc5c57e8956e6638f
I stored the output of find . -type f -exec sha256sum \{} \; of the
qubes-mirage-firewall folder in this file
https://framabin.org/p/?d9b2b5de724e5c2a#20uFbk/hVlaZnMqHYQ/DXjv9Lav3+Y8Fw7rU05k1IhY=
to avoid sending 260 lines here. If someone has recently build the
version 0.5, could you run a diff on that to see what happened ? Cheers,
Bernhard
Johannes Graumann
Thomas Leonard
> Hey Thomas,
>
> I are right, it that was definitely better to put the FAQ on the site
> (and this list). I did set up a standalone debian-10 to build, and the
> process went through smoothly. Thank you. The 'but' comes now: BUT, in
> the end the checksum fails!
>
> sha256sum vmlinuz
> 570be5685298acb014cfaec132a35469e1cafbe2f731945dc5c57e8956e6638f
Did you use Docker to build it in your standalone qube? It should match if so. If not, it's unlikely to match because you're probably building against different library versions.
> I stored the output of find . -type f -exec sha256sum \{} \; of the
> qubes-mirage-firewall folder in this file
>
> https://framabin.org/p/?d9b2b5de724e5c2a#20uFbk/hVlaZnMqHYQ/DXjv9Lav3+Y8Fw7rU05k1IhY=
>
> to avoid sending 260 lines here. If someone has recently build the
> version 0.5, could you run a diff on that to see what happened ? Cheers,
> Bernhard
If you want to check that building without Docker gives exactly the same result as building with it (which might not be too easy...) you'll need to make sure that every installed OCaml library has the same version at least.
I'd suggest copying the firewall directory and building the copy with Docker (be sure to delete the copied _build directory first). Then you can compare between the two on your own computer.
For example, running "opam list" will show you the local (non-Docker) versions chosen.
To enter the Docker virtual build environment (after building), do:
$ docker run --rm -it --entrypoint bash qubes-mirage-firewall
That will get you a bash prompt, and you can run "opam list" there to see which versions the Docker build is using, and compare.
Note that any changes you make within the Docker build environment will be lost when you exit the shell.
To make sure it always uses the same version, the Docker image contains a Git clone of the opam repository, which it pins (in Dockerfile) to a particular commit. That means that the build-with-docker script will always build against the versions available at that fixed point in time, not the latest ones.
You might also find that Debian packages affect it (e.g. make sure you have the same version of gcc, as there are a few C source files used too).
If you need to get things in or out of the Docker environment, you can use -v to share a directory. e.g.
$ docker run --rm -it -v $(pwd):/mnt --entrypoint bash qubes-mirage-firewall
will share the current directory with Docker, mounted at `/mnt` in the virtual environment.
You might also be interested in the console output from the Travis CI build (this also lists the versions used):
https://travis-ci.org/mirage/qubes-mirage-firewall/builds/515629873
Hope that helps.
799
I'd like to announce the release of qubes-mirage-firewall 0.5:
https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.5
(...)
For installation instructions, see:
https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md,
build-with-docker.sh script:
sudo ln -s /var/lib/docker /home/user/docker
sudo dnf install docker
sudo systemctl start docker
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
sudo ./build-with-docker.sh
[...]
- O
haaber
>> Hey Thomas,
>>
>> I are right, it that was definitely better to put the FAQ on the site
>> (and this list). I did set up a standalone debian-10 to build, and the
>> process went through smoothly. Thank you. The 'but' comes now: BUT, in
>> the end the checksum fails!
>
three times, more and more frustrated. First in my "failed" template,
then after having wiped old build remainders, then, to be sure, in a
brand new debian-10. I did (and only did(!), since it was a brand new
template)
sudo apt-get install docker docker.io
bash -x ./build-with-docker.sh
This fails, reproducibly over two days and several templates. Here is
the output (sorry, a few lines)
+ set -eu
+ echo Building Docker image with dependencies..
Building Docker image with dependencies..
+ docker build -t qubes-mirage-firewall .
Sending build context to Docker daemon 81.41kB
Step 1/9 : FROM
ocaml/opam2@sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562
sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562:
Pulling from ocaml/opam2
ab1fc7e4bf91: Pull complete
6f18bf102670: Pull complete
699ebb14d422: Pull complete
cf587ba18bc9: Pull complete
d3a929149973: Pull complete
9a6a034ad342: Pull complete
9bb3db9d2528: Pull complete
b87ea99b2663: Pull complete
b53e97a27ef2: Pull complete
Digest:
sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562
Status: Downloaded newer image for
ocaml/opam2@sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562
---> c1014001338e
Step 2/9 : RUN git fetch origin && git reset --hard
c261c4ee9c1ef032af93483913b60f674d4acdb2 && opam update
---> Running in 41cc0084931b
fatal: Unable to look up github.com (port 9418) (Temporary failure in
name resolution)
The command '/bin/sh -c git fetch origin && git reset --hard
c261c4ee9c1ef032af93483913b60f674d4acdb2 && opam update' returned a
non-zero code: 128
Of course, I DID check that I can resolve and ping github, and that the
port is up and open (nmap). So this error message is not quite
understandable. I feel stupid and helpless. That's the downside of
building I experience for decades now : if you could not build all by
hand yourself, any build scripts will betray you sooner or later. Sadly
yours,
799
As you have at least some more progress and are currently busy resolving issues with the build process, maybe you can help me coming to this point.
(...) So: I did it, actually
three times, more and more frustrated.
haaber
> Arezo using a standalone Debian VM to build the docket image?
> Additionally, does it have to be a Debian 10?
> As far as I know debian-10 is in testing (?).
https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md
you'll see that building appears "thought" rather for fedora than
debian. But Thomas Leonard states that debian should work, as well. I
simply had removed all of Fedora from my machine (but dom0 :), and I
like to keep it that way.
Of course debian buster is testing, but it is rather in the end of its
testing phase. Many packages are more recent than in stretch. That made
me go this way. If I should get to solve it, I'll post here how I did,
of course.
Foppe de Haan
Run from any recent fedora-based AppVM (standalone or not).
Sphere
Thomas Leonard
> Hello Thomas,
>
>
>
> Thomas Leonard <tal...@gmail.com> schrieb am Do., 4. Apr. 2019, 12:27:
> I'd like to announce the release of qubes-mirage-firewall 0.5:
>
> https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.5
> (...)
>
> For installation instructions, see:
>
> https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md,
>
>
> thanks for the work you put into your mirage-firewall, as I have read your announcement several times in the past, I'd like to give it a try, but I would like to see some more information which is targeted towards newbies.
> To me it is not clear how I can setup the mirage-firewall.
> It seems that your suggestion is to build a docker image and while this covered in the installation howto (https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md) the docker building must be started within an AppVM ... should this be a template VM? a dedicated HVM? And should it be debian or fedora?
> I'd like to have a step for step instruction which takes a standard Qubes Installation as baseline and then ends in a working mirage firewall.
> As mentioned I would be more than happy o contribute to the documentation, but can you clarify the starting point?
I've proposed some extra text suggesting users should "Create a new Fedora-29 AppVM (or reuse an existing one)":
https://github.com/mirage/qubes-mirage-firewall/pull/51
Does that help?
Thomas Leonard
> > On Sunday, April 7, 2019 at 6:06:13 AM UTC+1, haaber wrote:
> >> Hey Thomas,
> >>
> >> I are right, it that was definitely better to put the FAQ on the site
> >> (and this list). I did set up a standalone debian-10 to build, and the
> >> process went through smoothly. Thank you. The 'but' comes now: BUT, in
> >> the end the checksum fails!
> >
> > Did you use Docker to build it in your standalone qube? It should match if so. If not, it's unlikely to match because you're probably building against different library versions.
>
> OK that is a convincing argument for docker. So: I did it, actually
> three times, more and more frustrated. First in my "failed" template,
> then after having wiped old build remainders, then, to be sure, in a
> brand new debian-10. I did (and only did(!), since it was a brand new
> template)
>
> sudo apt-get install docker docker.io
> git clone https://github.com/mirage/qubes-mirage-firewall.git
> cd qubes-mirage-firewall
> su
> bash -x ./build-with-docker.sh
>
>
> This fails, reproducibly over two days and several templates. Here is
> the output (sorry, a few lines)
I believe that the Qubes sys-firewall by default prevents template VMs from connecting to anything except their package repositories. It's OK to install Docker in a template VM if you want, but everything else should be done in an AppVM.
I've added more details at https://github.com/mirage/qubes-mirage-firewall/pull/51/files
I tested this with Debian 9, but I assume it would work the same on Debian 10.
By the way, while testing it I found one case where the hash can change even with Docker, and proposed a fix for that at https://github.com/mirage/qubes-mirage-firewall/pull/52
haaber
> I believe that the Qubes sys-firewall by default prevents template
VMs > from connecting to anything except their package repositories.
It's OK > to install Docker in a template VM if you want, but everything
else
> should be done in an AppVM.
> I've added more details at
https://github.com/mirage/qubes-mirage-firewall/pull/51/files
>
> I tested this with Debian 9, but I assume it would work the same on
> Debian 10.
>
> By the way, while testing it I found one case where the hash can
> change even with Docker, and proposed a fix for that at
> https://github.com/mirage/qubes-mirage-firewall/pull/52
not if your debian is <= buster). They are still too old. Rather install
from docker itself, like explained here
https://docs.docker.com/install/linux/docker-ce/debian/
hint: download the pgp key via tor with a reasonable time-delay to
reduce a bit the risk of getting served tampered keys. Since you
probably cannot verify it further, that is all one can do.
The newest docker allows to pass my previous problem (git error
message). But of course building wouldn't be fun if it just went
through, right? So, now it stops here:
<><> jbuilder.transition installed successfully
<><><><><><><><><><><><><><><><>
=> Jbuilder has been renamed and the jbuilder package is now a
transition package. Use the dune package instead.
# Run eval $(opam env) to update the current shell environment
The former state can be restored with:
opam switch import
"/home/opam/.opam/4.07/.opam-switch/backup/state-20190408104449.export"
The command '/bin/sh -c opam install -y vchan xen-gnt mirage-xen-ocaml
mirage-xen-minios io-page mirage-xen mirage mirage-nat mirage-qubes'
returned a non-zero code: 31
----------------------------------------------
Of course, I have even less clues what that is about. Let's see.
haaber
space*. My last error was due to that, but of course it did not tell me
"disc full" but some random other message. So now I am getting closer:
sudo ./build-with-docker.sh
--------------------
Step 9/9:
Successfully tagged qubes-mirage-firewall:latest
Building Firewall...
error while executing ocamlbuild -use-ocamlfind -classic-display -tags
bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs
+ mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied
Command exited with code 1.
Failure:
Error during command "mkdir /home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10).
----------------------
so we are back with the question of /home/opam instead of /home/user ...
Is docker trying to write to the "real" /home or at some sort of
chroot'ed /home inside docker ??? Aaaargh!
qmirfw
docker build --network=host -t qubes-mirage-firewall .
in build-with-docker.sh .
This way the container shares the host network, which would be an antipattern, but we are using throw away VMs anyway.
qmirfw
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0GONvMBO8vB8TDLM1Q23wBp_xR43tsL-T5-FCkrE2tMxtNJ6CLFs5VMi4CvgbeQ48wh4onn-8YmygB_jPPqTPuDylV4oDr1TBatgvCoPtbw%3D%40protonmail.com.
> For more options, visit https://groups.google.com/d/optout.
haaber
directory '/home/opam/qubes-mirage-firewall/_build': Permission denied"
error at the final build that blocks me ?
Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
folder without fiddling files by hand?
Cheers, Bernhard
Thomas Leonard
`_build` is your _build directory, which is mounted into the chroot by the -v option. You can go into the environment yourself and try making it manually to find out what the problem is:
$ docker run --rm -it --entrypoint bash -v $(pwd):/home/opam/qubes-mirage-firewall qubes-mirage-firewall
opam@aaa050f3779c:~/qubes-mirage-firewall$ mkdir _build
The Docker build user has UID 1000, which should be the same as the default qubes user (use "id" inside and outside of the build environment to see).
Thomas Leonard
[...]
> Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
> folder without fiddling files by hand?
To test that PR:
git pull origin pull/52/head
rm -rf _build
sudo ./build-with-docker.sh
qmirfw
> > Addition: but even after successful compilation, the hash still didn't match for me, probably because of what Thomas Leonard already mentioned ( https://github.com/mirage/qubes-mirage-firewall/pull/52 ). Can we get a 0.5.1 release? I'd contribute with a more step-by-step build instructions doc for Qubes + Debian (no need for Fedora).
>
> Q1: So you got through without the stange " mkdir: cannot create
> directory '/home/opam/qubes-mirage-firewall/_build': Permission denied"
> error at the final build that blocks me ?
>
> Q2: How do you integrate the pull/52 into the qubes-mirage-firewall
> folder without fiddling files by hand?
>
This is what I do:
# # # In dom0 root terminal:
# We can't use a DisposableVM, as their disk size can't be increased while running, so let's create a normal AppVM
qvm-create miragebuild --class=AppVM --label=red --template=some_debian-10_template
# Give it some space
qvm-volume resize miragebuild:private $((20*1024*1024*1024))
# Run it
qvm-run miragebuild gnome-terminal
# # # In miragebuild VM user terminal:
# The whole docker thing won't fit in /var/lib, but will fit in /home
sudo mkdir /home/user/var_lib_docker
sudo ln -s /home/user/var_lib_docker /var/lib/docker
sudo apt update
sudo apt install docker.io
# Fix the reproducible build
git pull origin pull/52/head
# By default docker under Qubes can't get out to the network, so we use --network=host, this is a single use VM anyway
sed s/'docker build -t qubes-mirage-firewall .'/'docker build --network=host -t qubes-mirage-firewall .'/ build-with-docker.sh >build-with-docker_networkfix.sh
# Let's build
sudo sh ./build-with-docker_networkfix.sh
# done.
After this the hash matches (ce9a16b6f5ce0123f289b3586492f9f4b921f6e788f8e333784545807bb1b0f2)
799
(...)
This is what I do:
(...)
799
MirageTemplateVM=t-fedora-29-mirage# create a new template VM qvm-clone fedora-29-minimal $MirageTemplateVM# Resize private disk to 10 GB qvm-volume extend$:private 10GB # Create a symbolic link to safe docker into the home directory qvm-run --auto --user root --pass-io --no-guiMirageTemplateVM$\ 'ln -s /var/lib/docker /home/user/docker' # Install docker and git qvm-run --user root --pass-io --no-guiMirageTemplateVM$\ 'dnf -y install docker git' # To get networking in the template VM qvm-run --auto --user root --pass-io --no-guiMirageTemplateVM$\ 'dnf install qubes-core-agent-networking' qvm-shutdown --waitMirageTemplateVM$qvm-prefsMirageTemplateVM$sys-firewall qvm-startMirageTemplateVM$# Launch docker qvm-run --user root --pass-io --no-guiMirageTemplateVM$\ 'systemctl start docker' # Download and build mirage for qubes qvm-run --user root --pass-io --no-guiMirageTemplateVM$\ 'cd /home/user && \ git clone https://github.com/mirage/qubes-mirage-firewall.git && \' cd qubes-mirage-firewall && \ ./build-with-docker.sh'MirageTemplateVM
--- --- 8< --- --- --- ---
Unfortunately I run into an error during the build process:
[...]
Building Firewall...
error while executing ocamlbuild -use-ocamlfind -classic-display -tags
bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs
+ mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory '/home/opam/qubes-mirage-firewall/_build': Permission denied
Command exited with code 1.
Failure:
Error during command "mkdir /home/opam/qubes-mirage-firewall/_build": Ocamlbuild_pack.My_std.Exit_with_code(10)
Maybe because there is no folder /home/opam/... ??
I have also integrated pull request 52 via:qvm-run --user root --pass-io --no-gui'git pull origin pull/52/head && \$\MirageTemplateVM
rm -rf _build && \
sudo ./build-with-docker.sh'
And I have manually created the missing folder above via
qvm-run --user root --pass-io --no-gui'$\MirageTemplateVMmkdir /home/opam/qubes-mirage-firewall/'
Even then I still run into the same error.
Any ideas what I am missing?
- Ohaaber
of docker-ce directly (see my last 2-3 posts) here.
See https://docs.docker.com/install/linux/docker-ce/debian/
and https://docs.docker.com/install/linux/docker-ce/fedora/
for download instructions.
@Thomas Leonard: YES, I got through!! My error was my fault, some files
were owned by root and not user, the Lord knows why. Your line
$(pwd):/home/opam/qubes-mirage-firewall qubes-mirage-firewall
On 4/9/19 7:40 AM, 799 wrote:
> Hello,
>
> I've created a howto page in the Qubes Community docs to collect all
> information which is needed to build/install the mirage firewall for
> qubes OS.
> https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md
>
> I tried to build mirage in a new template VM which is based on
> fedora-29-minimal, but run into an error.
> Can you take a look and give me a hint what I am missing?
>
> --- --- 8< --- --- --- ---
>
> |MirageTemplateVM=|t-fedora-29-mirage
> |# create a new template VM qvm-clone fedora-29-minimal
> |$|MirageTemplateVM||:private 10GB # Create a symbolic link to safe
> qvm-prefs |$|MirageTemplateVM|| sys-firewall qvm-start
> --no-gui |$|MirageTemplateVM ||\ 'systemctl start docker' # Download and
> qubes-mirage-firewall && \ ./build-with-docker.sh'
> |
> --- --- 8< --- --- --- ---
>
> |Unfortunately I run into an error during the build process:
>
> [...]
> |Building Firewall... error while executing ocamlbuild -use-ocamlfind
> -classic-display -tags bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
> -pkgs mirage config.cmxs + mkdir /home/opam/qubes-mirage-firewall/_build
> mkdir: cannot create directory
> '/home/opam/qubes-mirage-firewall/_build': Permission denied Command
> exited with code 1. Failure: Error during command "mkdir
> /home/opam/qubes-mirage-firewall/_build":
> Ocamlbuild_pack.My_std.Exit_with_code(10) ||
>
> |
> |
>
> |Maybe because there is no folder /home/opam/... ??
>
> |
>
> |I have also integrated pull request 52 via:
> sudo ./build-with-docker.sh'
>
> And I have manually created the missing folder above via
>
> ||
>
> ||Even then I still run into the same error.
> ||
>
> ||Any ideas what I am missing?
> ||
>
> ||- O||
>
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9BpTd93vgjZ5NL7q%2BMaB49TDE%2BY2uRmJ50CgTuEws7Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.
qmirfw
On Monday, April 8, 2019 11:40 PM, 799 <one7...@gmail.com> wrote:
> I tried to build mirage in a new template VM which is based on fedora-29-minimal, but run into an error.
Also why fight with Fedora, if my simple Debian based build gives the same binary as the official (equal checksum).
(Quick note, if you insist: you don't have to symlink the docker dir to /home, simply increase :root instead of :private)
I'll try the docker build in a fedora appvm and see if I also get that error...
qmirfw
# # # In dom0 root terminal:
qvm-volume resize miragebuildfedora:private $((20*1024*1024*1024))
qvm-run miragebuildfedora gnome-terminal
# # # In miragebuildfedora user terminal:
sudo ln -s /home/user/var_lib_docker /var/lib/docker
sudo systemctl start docker
sudo ./build-with-docker.sh
# # # done.
799
On Monday, April 8, 2019 11:40 PM, 799 <one7...@gmail.com> wrote:
> Any ideas what I am missing?
I don't know. I just did a build using fedora (based on unmodified Qubes fedora-29 template) and got no error, final checksum checks out. This is what I did:
(...)
qmirfw
> Thanks for the summary, this is what I was looking for. I am using fedora-29-minimal for all my AppVM's, therefore I didn't thought that the problem might be template related.
> I'll run the same steps you did tomorrow.
>
> As far as I have understand the VM is just for the building process and that I can find the result a file called mirage-firewall.tar.bz2 in the _build folder afterwards and that I need to transfer this folder to dom0 and unpack it to /var/lib/qubes/vm-kernels
> Then I can use the new kernel.
>
> Maybe a stupid question, but ...
> As the AppVM including docker is just needed to build the kernel, wouldn't it be much easier if the mirage-firewall can be added via a sudo qubes-dom0-update like any other package?
>
> Maybe only in the testing or a community repository?
one7...@gmail.com
> I don't understand why you want to do all that in a TemplateVM,
> and not an AppVM.
> Also why fight with Fedora, if my simple Debian based build gives the
> same binary as the official (equal checksum) [...]
you are right that using a full fedora-29 would not do any harm, therefore I have used this template and luckily everything was very easy to setup.
Thanks for the support!
I have compiled all info which I need to setup Mirage-FW in a short howto, which might also be helpfull to others in a way that all steps can be run from dom0 which is much easier and which can be scripted (for example to rebuild your Qubes Setup from a default installation):
@Mirage Firewall-Team:
I think creating a document/script which does the build process for the user, will improve end user experience setting up mirage.
----- 8< ----- ----- ----- -----
MirageFW-BuildVM=my-mirage-buildvm
TemplateVM=fedora-29
MirageFWAppVM=sys-mirage-fw
# create a new VM to build mirage via docker
qvm-create $MirageFW-BuildVM --class=AppVM --label=red --template=$TemplateVM
# Resize private disk to 10 GB
qvm-volume resize $MirageFW-BuildVM:private 10GB
# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui $MirageFW-BuildVM \
'sudo mkdir /home/user/var_lib_docker && \
sudo ln -s /var/lib/docker /home/user/var_lib_docker'
# Install docker and git
qvm-run --pass-io --no-gui $MirageFW-BuildVM \
'sudo dnf -y install docker git'
# Launch docker
qvm-run --pass-io --no-gui $MirageFW-BuildVM \
'sudo systemctl start docker'
# Download and build mirage for qubes
qvm-run --pass-io --no-gui $MirageFW-BuildVM \
'git clone https://github.com/mirage/qubes-mirage-firewall.git && \
cd qubes-mirage-firewall && \
git pull origin pull/52/head && \
sudo ./build-with-docker.sh'
# Copy the new kernel to dom0
cd /var/lib/qubes/vm-kernels
qvm-run --pass-io $MirageFW-BuildVM 'cat qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf -
# create the new mirage firewall
qvm-create \
--property kernel=mirage-firewall \
--property kernelopts=None \
--property memory=32 \
--property maxmem=32 \
--property netvm=sys-net \
--property provides_network=True \
--property vcpus=1 \
--property virt_mode=pv \
--label=green \
--class StandaloneVM \
$MirageFWAppVM
# The build VM could be deleted if you don't want to keep it
# but if you want to upgrade Mirage Firewall for Qubes OS,
# you need to rebuild this VM.
qvm-shutdown --wait $MirageFW-BuildVM
qvm-remove --force $MirageFW-BuildVM
----- 8< ----- ----- ----- -----
Link: https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md
Now the next steps are to learn, how to tweak the firewall to allow specific communication between AppVMs, for example ssh/http.
Thanks to all for the help/suggestions.
- O
Thomas Leonard
> So I have briefly read README.md about this and does this thing really have to run as a PV VM and cannot be a PVH VM?
See: https://lists.xenproject.org/archives/html/mirageos-devel/2019-04/msg00019.html
Sphere
Thank you for this
brenda...@gmail.com
The build script uses download.camlcity.org which appears to be chronically down.
Any consideration for replacements?
B
Thomas Leonard
It's up for me. What error are you seeing?
Brendan Hoar
On Tuesday, April 23, 2019 at 5:02:36 PM UTC+1, brend...@gmail.com wrote:
> The build script uses download.camlcity.org which appears to be chronically down.Any consideration for replacements?
It's up for me. What error are you seeing?