Potential to minimize dom0
33 views
Skip to first unread message
qubist
Dec 25, 2025, 4:26:19 AM12/25/25
to qubes...@googlegroups.com
Merry Christmas!
While I understand minimizing dom0 is not a goal yet [1], what
justifies all the seemingly unnecessary stuff in it, considering the
major recommendation not to run things in dom0 and the fact that one
can always add (install) packages if so necessary?
Is there at least a list of absolutely required packages, so that one
can remove whatever else one does not need?
[1] https://github.com/QubesOS/qubes-issues/issues/8658#issuecomment-1780885777
While I understand minimizing dom0 is not a goal yet [1], what
justifies all the seemingly unnecessary stuff in it, considering the
major recommendation not to run things in dom0 and the fact that one
can always add (install) packages if so necessary?
Is there at least a list of absolutely required packages, so that one
can remove whatever else one does not need?
[1] https://github.com/QubesOS/qubes-issues/issues/8658#issuecomment-1780885777
Marek Marczykowski-Górecki
Dec 26, 2025, 6:52:49 AM12/26/25
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dom0 is based on Fedora (41) Xfce spin and mostly follows what is
included there. But, contrary to templates, we are more open to
customizing it, removing unneeded parts etc. As for "what is necessary",
I don't have clear answer for you. Generally - if some qubes package
depends on it, it's probably necessary. The easiest check is `dnf remove
- --assumeno <package>` and see what would be removed with it. But there
are likely some cases where dependency is indirect, and maybe it could
be avoided.
For example, samba-client-libs is installed in dom0. If you try to
remove it, it will try to remove a bunch of other packages, including
initial-setup-gui and qubes-manager. But, we don't really use samba in
dom0, it's some indirect dependency (looks to be via libavformat-free ->
qt6-qtmultimedia -> python3-pyqt6 -> qubes-manager). I'm not sure if
there is a harmless way exclude that dependency (without rebuilding a
lot of Fedora packages for example).
Internet says `rpmreaper` is a tool that may help finding unused
packages.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmlOdwoACgkQ24/THMrX
1yxKBAgAjST3T2iw9KZmtSRYndv3EwQXspnFzCOamdSgYQ/SfeiQFmWFDQWDzk/j
xagcWbkjm4Z7SoSJYTmPIk5rCa6RbKWIldczUNVzBEz5JZ2HFbJh41Wdq2fh7cuV
AnOAwBeQ84bfU9LQ1SBOsaF8dzddYENP6KKXlwK8AJNiM30ftljxnm5pvWK7UlBZ
qfGrH2c1yBCM2CuKiDlOKoTy00N/FY7FqBADTUKLhJ9Eq25Z60c9Llb9beqXqqoN
5H8zyoGGcIIwnTiGgO+FYV82EfwwwnW/f99d5Gpdz7ohHBe+OklGpMdQ1Or96PfE
JmDQViYIMnQ5BV1Os4my/JxvTTbduQ==
=BdEE
-----END PGP SIGNATURE-----
Hash: SHA256
included there. But, contrary to templates, we are more open to
customizing it, removing unneeded parts etc. As for "what is necessary",
I don't have clear answer for you. Generally - if some qubes package
depends on it, it's probably necessary. The easiest check is `dnf remove
- --assumeno <package>` and see what would be removed with it. But there
are likely some cases where dependency is indirect, and maybe it could
be avoided.
For example, samba-client-libs is installed in dom0. If you try to
remove it, it will try to remove a bunch of other packages, including
initial-setup-gui and qubes-manager. But, we don't really use samba in
dom0, it's some indirect dependency (looks to be via libavformat-free ->
qt6-qtmultimedia -> python3-pyqt6 -> qubes-manager). I'm not sure if
there is a harmless way exclude that dependency (without rebuilding a
lot of Fedora packages for example).
Internet says `rpmreaper` is a tool that may help finding unused
packages.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmlOdwoACgkQ24/THMrX
1yxKBAgAjST3T2iw9KZmtSRYndv3EwQXspnFzCOamdSgYQ/SfeiQFmWFDQWDzk/j
xagcWbkjm4Z7SoSJYTmPIk5rCa6RbKWIldczUNVzBEz5JZ2HFbJh41Wdq2fh7cuV
AnOAwBeQ84bfU9LQ1SBOsaF8dzddYENP6KKXlwK8AJNiM30ftljxnm5pvWK7UlBZ
qfGrH2c1yBCM2CuKiDlOKoTy00N/FY7FqBADTUKLhJ9Eq25Z60c9Llb9beqXqqoN
5H8zyoGGcIIwnTiGgO+FYV82EfwwwnW/f99d5Gpdz7ohHBe+OklGpMdQ1Or96PfE
JmDQViYIMnQ5BV1Os4my/JxvTTbduQ==
=BdEE
-----END PGP SIGNATURE-----
qubist
Dec 26, 2025, 8:32:12 AM12/26/25
to qubes...@googlegroups.com
Thanks for the feedback.
I can't test this on 4.3.0, as I am still on 4.2.4. I tried:
for i in $(dnf repoquery --unneeded --queryformat '%{name}'); do
dnf remove --assumeno -- "${i}"
done > /tmp/result.txt
I am attaching the output.
Does an in-place upgrade from 4.2.4 to 4.3.0 cleanup packages that
might have been necessary in 4.2.4 but are not any more in 4.3.0? If
not, what would be the appropriate procedure to achieve that result
without reinstalling from scratch?
I am asking because some packages, reported as unneeded in 4.2.4, don't
seem to show up as unneeded in 4.3.0, but they are still installed. My
reference is this forum post:
https://forum.qubes-os.org/t/looking-for-list-of-dom0-packages-of-a-freshly-installed-4-3-0-system/38120/2
I can't test this on 4.3.0, as I am still on 4.2.4. I tried:
for i in $(dnf repoquery --unneeded --queryformat '%{name}'); do
dnf remove --assumeno -- "${i}"
done > /tmp/result.txt
I am attaching the output.
Does an in-place upgrade from 4.2.4 to 4.3.0 cleanup packages that
might have been necessary in 4.2.4 but are not any more in 4.3.0? If
not, what would be the appropriate procedure to achieve that result
without reinstalling from scratch?
I am asking because some packages, reported as unneeded in 4.2.4, don't
seem to show up as unneeded in 4.3.0, but they are still installed. My
reference is this forum post:
https://forum.qubes-os.org/t/looking-for-list-of-dom0-packages-of-a-freshly-installed-4-3-0-system/38120/2
unman
Dec 26, 2025, 8:39:50 AM12/26/25
to qubes...@googlegroups.com
This is not a Qubes issue - it's covered in standard guides to
dealing with fedora in place upgrades. (of course, you might uncover
packages that should be, but are not, specified as dependencies of
Qubes packages.)
The normal practice is to run dnf autoremove
dealing with fedora in place upgrades. (of course, you might uncover
packages that should be, but are not, specified as dependencies of
Qubes packages.)
The normal practice is to run dnf autoremove
Marek Marczykowski-Górecki
Dec 26, 2025, 8:46:08 AM12/26/25
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Fri, Dec 26, 2025 at 01:31:47PM -0000, qubist wrote:
> Thanks for the feedback.
>
> I can't test this on 4.3.0, as I am still on 4.2.4. I tried:
>
> for i in $(dnf repoquery --unneeded --queryformat '%{name}'); do
> dnf remove --assumeno -- "${i}"
> done > /tmp/result.txt
>
> I am attaching the output.
>
> Does an in-place upgrade from 4.2.4 to 4.3.0 cleanup packages that
> might have been necessary in 4.2.4 but are not any more in 4.3.0? If
> not, what would be the appropriate procedure to achieve that result
> without reinstalling from scratch?
Just some random sample:
> Thanks for the feedback.
>
> I can't test this on 4.3.0, as I am still on 4.2.4. I tried:
>
> for i in $(dnf repoquery --unneeded --queryformat '%{name}'); do
> dnf remove --assumeno -- "${i}"
> done > /tmp/result.txt
>
> I am attaching the output.
>
> Does an in-place upgrade from 4.2.4 to 4.3.0 cleanup packages that
> might have been necessary in 4.2.4 but are not any more in 4.3.0? If
> not, what would be the appropriate procedure to achieve that result
> without reinstalling from scratch?
- - after in-place upgrade I don't have ImageMagick installed
- - trying to remove fftw-libs-double attempts to remove quite a few necessary
packages
> I am asking because some packages, reported as unneeded in 4.2.4, don't
> seem to show up as unneeded in 4.3.0, but they are still installed. My
> reference is this forum post:
>
> https://forum.qubes-os.org/t/looking-for-list-of-dom0-packages-of-a-freshly-installed-4-3-0-system/38120/2
still recommend reviewing the packages list (as in - not appropriate for
doing automatically as an upgrade step).
As for the default installation, installer follows this file:
https://github.com/QubesOS/qubes-qubes-release/blob/main/comps/comps-dom0.xml
Note not all groups are installed, only those in environment qubes-xfce
(defined near end of the file). It probably can be reduced further if
you want to take a shot at it.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1yw1TAf/RMINwcPzXZNrNAwL/R38wDGCLQeBMTfOrTNy6aicWjH1TCTHw7Sue6Z8
c5Qd35yMic3Ppf7eNXVYywN7mL8C3cDtUOahL3BvsHrPXVj/yrnFzEGJJNzNL70E
OdNsP8rHN7sNQ5UkQQSdcuZJUJdtqpBGB3DUuMVVTUETumkJTtsbK2DffAItTlwT
/7paOR5tDwr4Q2kpbvA1Aw16vjxM8b0u1XP3CwdRTDQywcWtyZlNDvDV9Q9nNOiH
/kJhfPfQl6WvIgA6e15Klj2S0buGbrhCHbgPSqGiuIIXIhd4tzrcfgDlETvWKgrd
RTtk/k7yDPA7QDsvubuACiGbycIpWA==
=i0zu
-----END PGP SIGNATURE-----
qubist
Dec 26, 2025, 10:33:35 AM12/26/25
to qubes...@googlegroups.com
On Fri, 26 Dec 2025 14:46:01 +0100 Marek Marczykowski-Górecki wrote:
> Just some random sample: [...]
What about e.g. acl? It is in the unneeded list in 4.2.4 but is
installed in 4.3.0.
> As for the default installation, installer follows this file:
> https://github.com/QubesOS/qubes-qubes-release/blob/main/comps/comps-dom0.xml
> Note not all groups are installed, only those in environment
> qubes-xfce (defined near end of the file). It probably can be reduced
> further if you want to take a shot at it.
I am looking at it. I wonder what is the necessity to have e.g.
xfce4-netload-plugin, considering it cannot monitor the network load of
sys-net?
Or what is qubes-dom0-unwanted-packages?
Also:
If one manages to use a separate GUIVM, would that make possible
removing XFCE stuff from dom0? But how would dom0 display its UI
elements then?
> Just some random sample: [...]
What about e.g. acl? It is in the unneeded list in 4.2.4 but is
installed in 4.3.0.
> As for the default installation, installer follows this file:
> https://github.com/QubesOS/qubes-qubes-release/blob/main/comps/comps-dom0.xml
> Note not all groups are installed, only those in environment
> qubes-xfce (defined near end of the file). It probably can be reduced
> further if you want to take a shot at it.
xfce4-netload-plugin, considering it cannot monitor the network load of
sys-net?
Or what is qubes-dom0-unwanted-packages?
Also:
If one manages to use a separate GUIVM, would that make possible
removing XFCE stuff from dom0? But how would dom0 display its UI
elements then?
qube...@4forl1st5.slmail.me
Dec 26, 2025, 9:46:52 PM12/26/25
to qubes...@googlegroups.com
On Friday, December 26th, 2025 at 11:52, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
>
> Dom0 is based on Fedora (41) Xfce spin and mostly follows what is
> included there. But, contrary to templates, we are more open to
> customizing it, removing unneeded parts etc. As for "what is necessary",
> I don't have clear answer for you. Generally - if some qubes package
> depends on it, it's probably necessary. The easiest check is
>`dnf remove - --assumeno <package>` and see what would be removed with
> it. But there are likely some cases where dependency is indirect, and
> maybe it could be avoided.
>
> For example, samba-client-libs is installed in dom0. If you try to
> remove it, it will try to remove a bunch of other packages, including
> initial-setup-gui and qubes-manager. But, we don't really use samba in
> dom0, it's some indirect dependency (looks to be via
> libavformat-free -> qt6-qtmultimedia -> python3-pyqt6 -> qubes-manager).
>
> I'm not sure if there is a harmless way exclude that dependency (without
> rebuilding a lot of Fedora packages for example).
Have you thought about, and/or would you consider, building some "qubes stub"
>
> Dom0 is based on Fedora (41) Xfce spin and mostly follows what is
> included there. But, contrary to templates, we are more open to
> customizing it, removing unneeded parts etc. As for "what is necessary",
> I don't have clear answer for you. Generally - if some qubes package
> depends on it, it's probably necessary. The easiest check is
>`dnf remove - --assumeno <package>` and see what would be removed with
> it. But there are likely some cases where dependency is indirect, and
> maybe it could be avoided.
>
> For example, samba-client-libs is installed in dom0. If you try to
> remove it, it will try to remove a bunch of other packages, including
> initial-setup-gui and qubes-manager. But, we don't really use samba in
> dom0, it's some indirect dependency (looks to be via
> libavformat-free -> qt6-qtmultimedia -> python3-pyqt6 -> qubes-manager).
>
> I'm not sure if there is a harmless way exclude that dependency (without
> rebuilding a lot of Fedora packages for example).
RPMs, basically, RPMs devoid of files but that provide the dependency that
rpm/dnf is attempting to fix up when pulling in seemingly "unneeded"
packages.
Something like 'samba-client-libs' probably isn't referenced by name directly,
but merely by one of the SO-lib target defines within it.
Marek Marczykowski-Górecki
Dec 27, 2025, 2:29:01 PM (13 days ago) 12/27/25
to qube...@4forl1st5.slmail.me, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
actually loads the library (even if not using any function from it), not
having the file would break stuff.
But yes, in some cases providing dummy replacement package may be an
option.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1yycHwf/V45LVmoXkkd4mG1OySMoul26T4DkeAm6KgeiG97mjt16dyUae82X1u+0
2YY6axdKEByWfUNqNVQDu/s8k60mJgvYyMOjQi97FGb89E9aFH8xfdX2GYZN1kiH
gqvzO3ZphQv7GF1oKxu6xI+QHGm6F/kArzx/VBVN+VmmwwbljrbJX3qsSIXsn3FU
ewdIKp3PsZDn4x/a58cFMoe2IybKOkVCXScYUaD6bxDo3I09BV0z+s4dS0CJ2MJu
44gAzBRm0xuws7IZ8x+8TsZjNl7ptWJlcNtshNKozg0cKoMDU/rpRYxo3VKdU1Jr
w75MV5/W61rXK9E1dLlHpIuSs6F2sQ==
=Hay9
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Dec 27, 2025, 2:33:52 PM (13 days ago) 12/27/25
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Fri, Dec 26, 2025 at 03:33:26PM -0000, qubist wrote:
> On Fri, 26 Dec 2025 14:46:01 +0100 Marek Marczykowski-Górecki wrote:
>
> > Just some random sample: [...]
>
> What about e.g. acl? It is in the unneeded list in 4.2.4 but is
> installed in 4.3.0.
The `dnf remove acl` test says it's not needed.
> On Fri, 26 Dec 2025 14:46:01 +0100 Marek Marczykowski-Górecki wrote:
>
> > Just some random sample: [...]
>
> What about e.g. acl? It is in the unneeded list in 4.2.4 but is
> installed in 4.3.0.
> > As for the default installation, installer follows this file:
> > https://github.com/QubesOS/qubes-qubes-release/blob/main/comps/comps-dom0.xml
> > Note not all groups are installed, only those in environment
> > qubes-xfce (defined near end of the file). It probably can be reduced
> > further if you want to take a shot at it.
>
> I am looking at it. I wonder what is the necessity to have e.g.
> xfce4-netload-plugin, considering it cannot monitor the network load of
> sys-net?
> Or what is qubes-dom0-unwanted-packages?
This is an empty package trying to prevent some other packages to be
installed.
> Also:
>
> If one manages to use a separate GUIVM, would that make possible
> removing XFCE stuff from dom0? But how would dom0 display its UI
> elements then?
the interface (qubes-manager, widgets etc) runs in sys-gui-gpu then and
communicate with dom0 over Admin API (qrexec).
With sys-gui (not gpu one), you still need some graphical stuff in dom0
(X server, lightdm), but still all the qubes graphical stuff runs in
sys-gui.
You could remove graphical stuff from dom0 then, at least as long as you
really don't want to have even an option to run GUI in dom0, as a
fallback.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1yxx2Af/bmbEXUc9OEsj/Jk0dpzBs8zWSLmmv0lkO2eFprlP3m59/Fw1yoKpb4en
LD2mTs29sMpeRPJRQ1vBrsZBd074w6oaKVJZirh8dgZeraMWH3DHcwF0MQ3rqMhi
IoeuM3ivU6goA7NE38OAUCjc/jwO+FEIOUtGzpmh6/np795ZwQ3Wv/Gph2nPy6Vv
b4WLur298R2xoFIVTzGiKfzodlIfQP6eflWF0k0b69b9n0H//oE7OXlOEwGNk2EX
NCQMaQEG9H1rkf9JckOerUjuMrRjUWQ3huIQxxcI5yZeCyf/RnKv9ZmXBVy/asLw
+pH9mpSpS/raoCul40RgzghRDwi9dg==
=52ie
-----END PGP SIGNATURE-----
qubist
Dec 28, 2025, 7:22:25 AM (13 days ago) 12/28/25
to qubes...@googlegroups.com
Thanks, Marek!
I will definitely look into it further and report back my findings, in
case something may be useful.
On Sat, 27 Dec 2025 20:33:43 +0100 Marek Marczykowski-Górecki wrote:
> The `dnf remove acl` test says it's not needed.
Why is it not in the 'unneeded' list then?
> You could remove graphical stuff from dom0 then, at least as long as
> you really don't want to have even an option to run GUI in dom0, as a
> fallback.
Does the same apply to e.g. sys-audio HVM too?
What about packages like curl? Why does non-networked dom0 need curl?
I will definitely look into it further and report back my findings, in
case something may be useful.
On Sat, 27 Dec 2025 20:33:43 +0100 Marek Marczykowski-Górecki wrote:
> The `dnf remove acl` test says it's not needed.
> You could remove graphical stuff from dom0 then, at least as long as
> you really don't want to have even an option to run GUI in dom0, as a
> fallback.
What about packages like curl? Why does non-networked dom0 need curl?
Marek Marczykowski-Górecki
Dec 28, 2025, 3:18:01 PM (12 days ago) 12/28/25
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Sun, Dec 28, 2025 at 12:22:15PM -0000, qubist wrote:
> Thanks, Marek!
>
> I will definitely look into it further and report back my findings, in
> case something may be useful.
>
> On Sat, 27 Dec 2025 20:33:43 +0100 Marek Marczykowski-Górecki wrote:
>
> > The `dnf remove acl` test says it's not needed.
>
> Why is it not in the 'unneeded' list then?
Idk...
> Thanks, Marek!
>
> I will definitely look into it further and report back my findings, in
> case something may be useful.
>
> On Sat, 27 Dec 2025 20:33:43 +0100 Marek Marczykowski-Górecki wrote:
>
> > The `dnf remove acl` test says it's not needed.
>
> Why is it not in the 'unneeded' list then?
> > You could remove graphical stuff from dom0 then, at least as long as
> > you really don't want to have even an option to run GUI in dom0, as a
> > fallback.
>
> Does the same apply to e.g. sys-audio HVM too?
> What about packages like curl? Why does non-networked dom0 need curl?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1yz6owf9EAaDg6bu1XJlqQl6M4h2ln8fDd1aPfJXG4/zoKx0KrVUjjlvTtBMnDUQ
B2ELudtKRlrjTrKOhJ8odARBTMp7mOIs5/GiUWk7la5TQ3f4IjOJKrO2xDP3Rge9
TY6cnV+EMrUi/59IWuF4LxbBxLe14XMRW2wS//tm9NZkpRklgeuW8GMvIkzqL9+j
y6Ulbom2tmIvUcZXCML1CiIhJzcQpf4Ua8jkLlo19sbOgCdQxhDZkq6ffmr0KndS
t1aCXT04HHb1Y5BJ2C2ZVoDETPP9APNjx8O8L1HSApuP95a/mbrS7kdAqNuZuTdF
knmmvuWgedyGiD0gi9jzgPCIXyVlwQ==
=w0FK
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages