Network VM's always autostart even when they are not supposed to
37 views
Skip to first unread message
Elias Mårtenson
Nov 17, 2017, 5:58:25 AM11/17/17
to qubes-devel
I have configured sys-net and sys-firewall to only manage the WLAN connection. I have
then set up two separate VM's, foo-net and foo-firewall that manages the ethernet
interface on my computer. The latter is connected a separate network, and have
dedicated VM's connected to them.
The behaviour that I am observing is that foo-net and foo-firewall are automatically
started whenever I boot the machine, even though they have autostart = False.
Also, there are no VM's started that depend on these network VM's.
What could trigger the start of these VM's?
Unman
Nov 17, 2017, 6:08:25 AM11/17/17
to Elias Mårtenson, qubes-devel
in 3.2 the qubes-netvm service may be responsible. You could try
changing the default netvm, or temporarily disabling the
qubes-netvm.service and see if that changes behaviour.
Elias Mårtenson
Nov 17, 2017, 6:12:07 AM11/17/17
to Unman, qubes-devel
On 17 November 2017 at 19:08, Unman <un...@thirdeyesecurity.org> wrote:
You havent said which version if Qubes you are running.
in 3.2 the qubes-netvm service may be responsible. You could try
changing the default netvm, or temporarily disabling the
qubes-netvm.service and see if that changes behaviour.
Oops. Sorry about that. It's 4.0rc2.
Regards,
Elias
Chris Laprise
Nov 18, 2017, 7:55:09 AM11/18/17
to qubes...@googlegroups.com
On 11/17/2017 06:12 AM, Elias Mårtenson wrote:
> On 17 November 2017 at 19:08, Unman <un...@thirdeyesecurity.org
> On 17 November 2017 at 19:08, Unman <un...@thirdeyesecurity.org
> <mailto:un...@thirdeyesecurity.org>> wrote:
>
> You havent said which version if Qubes you are running.
> in 3.2 the qubes-netvm service may be responsible. You could try
> changing the default netvm, or temporarily disabling the
> qubes-netvm.service and see if that changes behaviour.
>
>
> Oops. Sorry about that. It's 4.0rc2.
>
I was able to prevent sys-net and sys-firewall auto-start in rc2 by
>
> You havent said which version if Qubes you are running.
> in 3.2 the qubes-netvm service may be responsible. You could try
> changing the default netvm, or temporarily disabling the
> qubes-netvm.service and see if that changes behaviour.
>
>
> Oops. Sorry about that. It's 4.0rc2.
>
simply disabling 'Start VM automatically at boot' in settings. The only
other difference is that my default netvm is set to 'VPN' but I wouldn't
expect that to matter.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Elias Mårtenson
Nov 19, 2017, 9:25:52 PM11/19/17
to qubes-devel
On Saturday, 18 November 2017 20:55:09 UTC+8, Chris Laprise wrote:
On 11/17/2017 06:12 AM, Elias Mårtenson wrote:
> On 17 November 2017 at 19:08, Unman <un...@thirdeyesecurity.org
> <mailto:un...@thirdeyesecurity.org>> wrote:
>
> You havent said which version if Qubes you are running.
> in 3.2 the qubes-netvm service may be responsible. You could try
> changing the default netvm, or temporarily disabling the
> qubes-netvm.service and see if that changes behaviour.
>
> Oops. Sorry about that. It's 4.0rc2.
I was able to prevent sys-net and sys-firewall auto-start in rc2 by
simply disabling 'Start VM automatically at boot' in settings. The only
other difference is that my default netvm is set to 'VPN' but I wouldn't
expect that to matter.
I've confirmed that both the net- and firewall VM's are configured to not start
at boot (as far as I understand, this option simply controls the ‘autostart’
prefs option), yet the VM's still start at boot.
The only other thing that is special about these VM's is that my second
netvm has the ethernet hardware attached to it. That said, even if that was
the cause it wouldn't explain why the firewall vm starts at boot too.
--
Elias
Elias
Marek Marczykowski-Górecki
Nov 20, 2017, 6:32:50 AM11/20/17
to Elias Mårtenson, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Nov 19, 2017 at 06:25:52PM -0800, Elias Mårtenson wrote:
> On Saturday, 18 November 2017 20:55:09 UTC+8, Chris Laprise wrote:
> >
> > On 11/17/2017 06:12 AM, Elias Mårtenson wrote:
> > > On 17 November 2017 at 19:08, Unman <un...@thirdeyesecurity.org
> > <javascript:>
netvm) is configured with autostart=True.
Another possibility is dom0 update check or dom0 clock sync. Those
actions require appropriate VM to be running (see global prefs -
updatevm, clockvm). I think they will be started for that.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaEr1jAAoJENuP0xzK19cs528H/18SZZzqAJCTMx3y9dfXhvlw
gEkvlOqdOBmtFDwFsIA0L8gXvpDbhObNl2TYOT2qEE5LlP8j+PxkU0ZXNsQU/tFz
u7ImdsWHZ694E78q4pinsvJfk1GZb0f4k9nibLSWjE0GHWJYsZZB2Bu8PAvfhTgl
yEooePV0Nby8uBpnQ2SGDlSkZqEegRqHwLG4acEAb0/CsFLjzvVHI1xPQODHbqwv
PboQCLP1ItUCTuU/JeMwiNET2XLGFeQRQXV43EWE1BjJclKNkxEcIThgGPjP3oNM
bpJVejjy7Qh8Fh0SYouen92ekZfgpqDUWUTUMZBBH+gNvH013C4pzzXs9Lt9CPg=
=VeeQ
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, Nov 19, 2017 at 06:25:52PM -0800, Elias Mårtenson wrote:
> On Saturday, 18 November 2017 20:55:09 UTC+8, Chris Laprise wrote:
> >
> > On 11/17/2017 06:12 AM, Elias Mårtenson wrote:
> > > On 17 November 2017 at 19:08, Unman <un...@thirdeyesecurity.org
> > > <mailto:un...@thirdeyesecurity.org <javascript:>>> wrote:
> > >
> > > You havent said which version if Qubes you are running.
> > > in 3.2 the qubes-netvm service may be responsible. You could try
> > > changing the default netvm, or temporarily disabling the
> > > qubes-netvm.service and see if that changes behaviour.
> > >
> > > Oops. Sorry about that. It's 4.0rc2.
> >
> > I was able to prevent sys-net and sys-firewall auto-start in rc2 by
> > simply disabling 'Start VM automatically at boot' in settings. The only
> > other difference is that my default netvm is set to 'VPN' but I wouldn't
> > expect that to matter.
>
>
> I've confirmed that both the net- and firewall VM's are configured to not
> start
> at boot (as far as I understand, this option simply controls the ‘autostart’
> prefs option), yet the VM's still start at boot.
>
> The only other thing that is special about these VM's is that my second
> netvm has the ethernet hardware attached to it. That said, even if that was
> the cause it wouldn't explain why the firewall vm starts at boot too.
Is any other VM started there too? Maybe some other VM (using such
> > >
> > > You havent said which version if Qubes you are running.
> > > in 3.2 the qubes-netvm service may be responsible. You could try
> > > changing the default netvm, or temporarily disabling the
> > > qubes-netvm.service and see if that changes behaviour.
> > >
> > > Oops. Sorry about that. It's 4.0rc2.
> >
> > I was able to prevent sys-net and sys-firewall auto-start in rc2 by
> > simply disabling 'Start VM automatically at boot' in settings. The only
> > other difference is that my default netvm is set to 'VPN' but I wouldn't
> > expect that to matter.
>
>
> I've confirmed that both the net- and firewall VM's are configured to not
> start
> at boot (as far as I understand, this option simply controls the ‘autostart’
> prefs option), yet the VM's still start at boot.
>
> The only other thing that is special about these VM's is that my second
> netvm has the ethernet hardware attached to it. That said, even if that was
> the cause it wouldn't explain why the firewall vm starts at boot too.
netvm) is configured with autostart=True.
Another possibility is dom0 update check or dom0 clock sync. Those
actions require appropriate VM to be running (see global prefs -
updatevm, clockvm). I think they will be started for that.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaEr1jAAoJENuP0xzK19cs528H/18SZZzqAJCTMx3y9dfXhvlw
gEkvlOqdOBmtFDwFsIA0L8gXvpDbhObNl2TYOT2qEE5LlP8j+PxkU0ZXNsQU/tFz
u7ImdsWHZ694E78q4pinsvJfk1GZb0f4k9nibLSWjE0GHWJYsZZB2Bu8PAvfhTgl
yEooePV0Nby8uBpnQ2SGDlSkZqEegRqHwLG4acEAb0/CsFLjzvVHI1xPQODHbqwv
PboQCLP1ItUCTuU/JeMwiNET2XLGFeQRQXV43EWE1BjJclKNkxEcIThgGPjP3oNM
bpJVejjy7Qh8Fh0SYouen92ekZfgpqDUWUTUMZBBH+gNvH013C4pzzXs9Lt9CPg=
=VeeQ
-----END PGP SIGNATURE-----
Elias Mårtenson
Nov 20, 2017, 11:52:40 PM11/20/17
to qubes-devel
On Monday, 20 November 2017 19:32:50 UTC+8, Marek Marczykowski-Górecki wrote:
> I've confirmed that both the net- and firewall VM's are configured to not
> start
> at boot (as far as I understand, this option simply controls the ‘autostart’
> prefs option), yet the VM's still start at boot.
>
> The only other thing that is special about these VM's is that my second
> netvm has the ethernet hardware attached to it. That said, even if that was
> the cause it wouldn't explain why the firewall vm starts at boot too.
Is any other VM started there too? Maybe some other VM (using such
netvm) is configured with autostart=True.
No. After boot, the only VM that is started except for the two sets of netvm/firewallvm
is sys-usb.
There are only three VM's that use the alternative netvm/firewallvm and none of them
are autostart.
Another possibility is dom0 update check or dom0 clock sync. Those
actions require appropriate VM to be running (see global prefs -
updatevm, clockvm). I think they will be started for that.
updatevm and clockvm are set to sys-firewall and sys-net respectively, so that can't
be the reason either.
Regards,
Elias
Reply all
Reply to author
Forward
0 new messages