Problems with setting and changing NetVM of DispVMs
39 views
Skip to first unread message
u+q...@bestemt.no
Apr 24, 2017, 8:44:15 AM4/24/17
to qubes...@googlegroups.com
When I change a running DispVM's NetWM (in the Qubes VM Manager) (e.g.
from sys-whonix to sys-firewall) the DispVM loses its internet
connection. Changing the NetWM of a normal AppVM based on the same
TempVM as the DispVM does not cause any issues. How could this be?
I'm running Qubes 3.2. The TempVM in question is running debian
unstable, but I don't see how this can matter since I have no problems
with normal AppVMs based on it.
Imperfect workaround: Launch the DispVM with "qvm-run --dispvm $COMMAND"
from a AppVM that uses the desired NetVM (more correctly: has the
desired "NetVM for DispVM" setting*).
* As the UX is now, this setting is confusing and potentially
detrimental for security in my opinion:
https://github.com/QubesOS/qubes-issues/issues/2379#issuecomment-296650904
--
Ubestemt
from sys-whonix to sys-firewall) the DispVM loses its internet
connection. Changing the NetWM of a normal AppVM based on the same
TempVM as the DispVM does not cause any issues. How could this be?
I'm running Qubes 3.2. The TempVM in question is running debian
unstable, but I don't see how this can matter since I have no problems
with normal AppVMs based on it.
Imperfect workaround: Launch the DispVM with "qvm-run --dispvm $COMMAND"
from a AppVM that uses the desired NetVM (more correctly: has the
desired "NetVM for DispVM" setting*).
* As the UX is now, this setting is confusing and potentially
detrimental for security in my opinion:
https://github.com/QubesOS/qubes-issues/issues/2379#issuecomment-296650904
--
Ubestemt
Unman
Apr 24, 2017, 11:18:53 AM4/24/17
to u+q...@bestemt.no, qubes...@googlegroups.com
this by script setting the netvm before opening the disposableVM, with
a keyboard shortcut.
On occasion I change the netVM for a running disposableVM and it just
works.
I make sure that I create the DVM Template using a netvm, and then set
it to none, using 'qvm-prefs foo.dvm -s netvm none'. That ensures that
disposableVMs are started using the value assigned to each qube using
dispvm_netvm, but seems to allow for netvm switching. (Actually I have
dispvm_netvm set to none across the board, so I rely on the ability to
change netvm.)
I don't know if that will make any difference to your experience?
unman
u+q...@bestemt.no
Apr 24, 2017, 1:08:10 PM4/24/17
to Unman, qubes...@googlegroups.com
Unman <un...@thirdeyesecurity.org> [2017-04-24 17:19 +0200]:
> On occasion I change the netVM for a running disposableVM and it just
> works.
This is what does not work in my case.
> I make sure that I create the DVM Template using a netvm, and then set
> it to none, using 'qvm-prefs foo.dvm -s netvm none'. That ensures that
> disposableVMs are started using the value assigned to each qube using
> dispvm_netvm, but seems to allow for netvm switching. (Actually I have
> dispvm_netvm set to none across the board, so I rely on the ability to
> change netvm.)
I'm not sure I understand. You have set the DVM Template's NetVM to none
to make sure a DispVM always has the NetVM set as dispvm_netvm for the
VM it is launched from, is that correct? Do you never launch a DispVM
from dom0 then? If you do, it's NetVM will be none, right? I still don't
understand what the text in the parentheses mean. Just trying to
understand….
--
ubestemt
> I'm constantly switching NetVMs for disposableVMs - most of the time I do
> this by script setting the netvm before opening the disposableVM, with
> a keyboard shortcut.
Would you explain how you have accomplished this?
> this by script setting the netvm before opening the disposableVM, with
> a keyboard shortcut.
> On occasion I change the netVM for a running disposableVM and it just
> works.
> I make sure that I create the DVM Template using a netvm, and then set
> it to none, using 'qvm-prefs foo.dvm -s netvm none'. That ensures that
> disposableVMs are started using the value assigned to each qube using
> dispvm_netvm, but seems to allow for netvm switching. (Actually I have
> dispvm_netvm set to none across the board, so I rely on the ability to
> change netvm.)
to make sure a DispVM always has the NetVM set as dispvm_netvm for the
VM it is launched from, is that correct? Do you never launch a DispVM
from dom0 then? If you do, it's NetVM will be none, right? I still don't
understand what the text in the parentheses mean. Just trying to
understand….
--
ubestemt
Unman
Apr 24, 2017, 6:15:51 PM4/24/17
to u+q...@bestemt.no, qubes...@googlegroups.com
I almost always start disposableVMs from dom0, and have keyboard
shortcuts for different disposableVMs connected to different netVMs.
I've posted earlier with a script I use to do this.
What works for me:
Create a DVMTemplate as usual with standard netvm.
qvm-prefs debian8-dvm netvm -s none
Use bash to iterate over all qubes:
qvm-prefs $i -s dispvm_netvm -s none
Then all disposableVMs launched from any qube are not network connected.
If I want to connect a disposableVM to a network, if it's running I just
use qvm-prefs to set the netvm. (I recognise that that is what you say
doesn't work for you - all I can say is that it works for all the
DVMTemplates that I have.)
Otherwise I have simple scripts to set and reset the netvm, like this:
qvm-prefs debian8-dvm -s netvm <name>
xdg-open /usr/local/share/applications/qubes-dispvm-firefox.desktop &
sleep 3
qvm-prefs debian8-dvm -s netvm none
and bind these to keyboard shortcuts.
I should say that I don't use Manager all that much, whereas the original
post was about changing netvm there, so maybe this is a significant
difference. (I've just tried it though and it seemed to work for me.)
I hope that's clearer
unman
Reply all
Reply to author
Forward
0 new messages