Dom0 connectivity for maintenance
Braden
Yuraeitha
> Performing some modifications to dom0, but when I run apps like wget from dom0 terminal I am unable to resolve addresses. Same if I were to try running firefox from dom0. Know this is because of security benefits, but how can I enable networking from there. Say I wanted to connect to dom0 from a vnc temporarily.
I think this might be possible without too much trouble, but before that, what is it you want to install in dom0? Are you sure you can't use existing means or do it from an AppVM?
For example if you need htop or something else in the fedora repositories, you can do "sudo qubes-dom0-update htop" which will install htop in dom0. Same with everything else in fedora repositories.
What kind of program is it you need to install in dom0? The general notion is that its best to not install anything there at all, which becomes a stronger and stronger reinforced point at every new Qubes released version, when less and less is needed to be done in dom0.
Does what you want to archive have to be in dom0 to get it working?
Is it possible you can tell us what you want to archive/install? There might be other/better ways to do it.
Yuraeitha
I also believe you can just add the extra repository to make dom0 install/update in a secure way, without attaching the network directly to dom0. But as mentioned above, first, what is it you actually want to do?
Braden
Understandable, I'd need to install a VNC into dom0 so I can easily change hvms and appvm settings from work, so how should I go about attaching the network.
Unman
> Performing some modifications to dom0, but when I run apps like wget from dom0 terminal I am unable to resolve addresses. Same if I were to try running firefox from dom0. Know this is because of security benefits, but how can I enable networking from there. Say I wanted to connect to dom0 from a vnc temporarily.
>
packages you can use the update mechanism. Otherwise download files in a
qube and then copy them in to dom0 and install them there.
If dom0 is compromised then all your qubes are open.
But you probably know this already.
As things stand it's difficult, but not impossible to access dom0. You
could open a channel to allow vnc to a qube and use socat and an rpc
service to front to dom0. But really just dont do it: it subverts the
whole point in using Qubes.
Yuraeitha
btw, isn't it possible that he can use the Qubes 4 dom0 admin features to make changes to VM's from a remote location? Could the solution be to upgrade to Qubes 4 and use that instead? I haven't yet went discovering/understood the limitations of the Qubes 4 dom0 admin tools, but isn't this a perfect match to his goal if he upgrades? Apologies if I misunderstood how the dom0 admin features work, I haven't started using it my self yet.
Braden
Fair enough, suppose will copy the package to dom0 and then install my vnc server there, but would the firewall refuse to allow connections just like how firefox and wget refuse in dom0?
Unman
Braden
Only need VNC client connections working that is
Unman
If you MUST break Qubes , and you cant use the admin features in 4.0
(see my last post),then you'll have to use some service to pass data in
and out of dom0 WITHOUT networking.
awokd
>
> By design dom0 has no networking.
> If you MUST break Qubes , and you cant use the admin features in 4.0
> (see my last post),then you'll have to use some service to pass data in
> and out of dom0 WITHOUT networking.
equivalent built in to your computer already like IPMI or DRAC. Obviously,
Qubes can't provide any security beyond a screensaver password from an
attack using those.
Yuraeitha
Is VNC capable of something that can't be done with the Qubes 4 dom0/admin tools? Just curious, maybe it can be solved.
Braden
Yuraeitha
From a security point of view, Qubes 4 is probably long past the point to surpass the security risk there is to opening up dom0 to networking (if comparing the two situations purely from a security risk point of view). So if you got the time for it, it might be worth it to install Qubes to gain access to the dom0 admin tools. In terms of reliability, well personally I feel Qubes 4 is pretty stable, I haven't had any major issues. But they're still working on it, though, I believe it's because they want it to as perfect as possible. It's very different from being ready to release, and to release something near a perfection goal. Well obviously perfection is a dangerous word to use, but it can translated into high quality instead. That's how I perceive it at least. If you got the time, it may be worth upgrading.
Perhaps others may put in a word for how ready they perceive Qubes 4 is for productivity and mission critical work. Since it isn't officially released as as a final release yet, the more views on this matter, the merrier and more accurate it'll be.
Braden
I'm excited for qubes 4 as well, even for more than the admin tools. It's just that my hardware doesn't support it the upgrade :(
Tim W
I guess its also perspective. Some people mission critcal can mean emails to there grandma others school work other where peoples lives and well being are on the line.
