How to connect Tenmplate VM to the internet

318 views
Skip to first unread message

799

unread,
Oct 28, 2018, 5:58:33 PM10/28/18
to qubes...@googlegroups.com
Hello,

I am currently building a special Storage VM Template which needs to download specific packages and also GIT repositories.
Therefor I'd like to allow internet access for the template VM.
The NetVM is set to sys-firewall and access to the internet is allowed under Qubes Settings.

But the Template VM is unable to access the internet.
What needs to be done, so that I can connect the Template VM?

- O

awokd

unread,
Oct 28, 2018, 7:19:50 PM10/28/18
to qubes...@googlegroups.com
799:
I think you also need to manually configure networking if you really
want to do that.

unman

unread,
Oct 28, 2018, 9:13:36 PM10/28/18
to qubes...@googlegroups.com
Nothing further needs to be done. This should "just work"(TM).

If it isnt working for you then you should do standard troubleshooting-
Check that Template has IP address set (you shouldnt need to set this
manually), and it is consistent with sys-firewall.
Check the route.
Check that /etc/resolv.conf looks proper.
Check that traffic is arriving at sys-firewall and that rules are set
correctly there.

unman

799

unread,
Oct 29, 2018, 4:32:56 PM10/29/18
to un...@thirdeyesecurity.org, qubes...@googlegroups.com
Hello,

... I am giving up.

On Mon, 29 Oct 2018 at 02:13, unman <un...@thirdeyesecurity.org> wrote:
On Sun, Oct 28, 2018 at 10:58:21PM +0100, 799 wrote:
> But the Template VM is unable to access the internet.
> What needs to be done, so that I can connect the Template VM?
 
Nothing further needs to be done. This should "just work"(TM).

If it isnt working for you then you should do standard troubleshooting-
Check that Template has IP address set (you shouldnt need to set this
manually), and it is consistent with sys-firewall.
Check the route.
Check that /etc/resolv.conf looks proper.

I am unable to enable networking on my template VM.
It is based on a regular fedora-28-minimal template as all my other Templates.
Strangely I am able to install normal packages via dnf but the Template VM is not showing an IP address.

It seems that the eth0 interface is DOWN.
Honestly I don't understand how I can install packages at all if I can't even ping my sys-firewall VM from the Template VM.

So what are the detailed steps to enable networking in a Template VM which is cloned from a fedora-28-minimal template?

- O

unman

unread,
Oct 29, 2018, 7:46:22 PM10/29/18
to qubes...@googlegroups.com
By default TemplateVMs are not network enabled. They are able to update
because they use the Qubes Update Proxy. You can (and should) read about
this at https://www.qubes-os.org/doc/software-update-vm/#updates-proxy

You hadn't said previously that you were using a minimal template.
Have a look at https://www.qubes-os.org/doc/templates/fedora-minimal/

What you need to do is:
1. qvm-run -u root <template> xterm
2. (in template): dnf install qubes-core-agent-networking
3. Shutdown template
4. qvm-prefs <template> netvm sys-firewall
5. qvm-run -u root <template> xterm

Bear in mind that templates are meant to be kept offline, and you should
be particularly careful if you put one online. Any mistake here could
compromise all qubes that use that template.

HTH

unman

Reply all
Reply to author
Forward
0 new messages