DisposableVM Help

[Robert Spigler]

I have a debian-10-dvm and a whonix-ws-15-dvm.  I also had a fedora-30-dvm, but when upgrading to fedora-32, I followed "Creating a New DisposableVM Template" here: (https://www.qubes-os.org/doc/disposablevm-customization/), so no longer have the fedora-30-dvm. Instead, I have a custom-disposablevm-template based on fedora-32. I would prefer to rename this to fedora-32-dvm-template, but renaming fails with 'Failed to clone appmenus'.

My main question/problem is that unlike the debian-10-dvm and whonix-ws-15-dvm, opening an application in fedora-32-dvm-template does not open a disposableVM (disp####), instead it opens 'custom-disposablevm-template'.  IIUC, that is because I am supposed to create fedora-32-dvm from the dvm-template.  But I cannot figure out how to do that.  It is set as the default disposableVM template, so opening files through the GUI in a disposableVM will open them in a disposableVM based on fedora-32, but I would still like to be able to open an application through the GUI/start menu in a fedora-32-dvm.

What I am also having trouble understanding is what dvm-template is the debian-10-dvm and whonix-ws-15-dvm based on? I know Qubes4.0 introduced multiple DVMTemplates, but I don't see any other DVMTemplates listed under the start menu.  In Qubes Manager, debian-10-dvm and whonix-ws-15-dvm are marked as being their own DVMTemplates? But also DVM's themselves?

Thank you,

Robert

[unman]

Hi Robert,

As you say, Qube 4.0 allowed for the use of many DVMTemplates - any
qube can be used as the basis for disposableVMs.
So the debian-10-dvm is not based on a dvm-template - it *is* a
dvm-template, a qube using the debian-10 template which has had the
`template_for_dvms` flag set.
That's all there is to it.

In your case, I suspect that the appmenus have not been correctly set,
so that they still refer to 'custom-disposablevm-template', instead of
using that as the basis for a disposableVM.
You can try running the command
`qvm-features custom-disposablevm-template appmenus-dispvm 1`, although
there was an open issue about this command failing in some cases.

In dom0, (and therefore the menus), the difference is between:
qvm-run custom-disposablevm-template --service qubes.StartApp+xterm
and
qvm-run dispvm=custom-disposablevm-template --service qubes.StartApp+xterm

hth

unman

[fiftyfour...@gmail.com]

I read about this particular bug in whonix DVM that's possibly relevant: 

>Use caution when spawning a DispVM for the first time when it is based on a freshly created DVM Template. This Qubes bug [archive] can lead to the DVM Template starting instead of the DispVM. [29] [30] There could be serious consequences if an application like Tor Browser was started in a DVM Template and used extensively for web browsing. Compromise of the DVM Template would mean all DispVMs spawned from it would be similarly compromised; see Running Tor Browser in Qubes TemplateVM.

https://www.whonix.org/wiki/Qubes/DisposableVM

[Robert Spigler]

Thank you both.

For security reasons, in case the DVMTemplate has been compromised, I deleted it.

How would I go about properly creating a fedora-32-dvm with the 'template_for_dvms' flag set?

Thank you

[awokd]

Robert Spigler:

> How would I go about properly creating a fedora-32-dvm with the
> 'template_for_dvms' flag set?

https://www.qubes-os.org/doc/disposablevm-customization/

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

[Robert Spigler]

According to the documentation, I try:

'qvm-prefs fedora-32-dvm template_for_dispvms True'

error: no such domain: 'fedora-32-dvm'

Tried 'qvm-prefs fedora-32 template_for_dispvms True'

error: no such property: 'template_for_dispvms'

Following 'Creating a New DisposableVM Template' further down the page:

'qvm-create --template fedora-32 --label red fedora-32-dvm-template'

'qvm-prefs fedora-32-dvm-template template_for_dispvms True'

'qvm-features fedora-32-dvm-template appmenus-dispvm 1'

This creates a domain titled 'fedora-32-dvm-template' like I describe in my original post, with the disposable_vm_template flag set, but it is not a disposableVM itself, which is what I am attempting.

[unman]

> DisposableVM itself, which is what I am attempting.
>

Hi Robert
I'm sorry my previous post wasn't clear enough.
A DisposableVM is based on a DisposableVM Template.
You have created a DisposableVM Template. You can use it to spawn
disposableVMs.
You can do this by hand:
qvm-run dispvm=fedora-32-dvm-template --service qubes.StartApp+xterm

Setting the qvm-features as you have done *should* create menu items
that will spawn disposableVMs that use that template.

If you wanted to create disposableVMs based on a qube that uses the
fedora-32 template, that is what you have done.
If that is *not* what you were attempting, please explain exactly what
it is you want. (If you think that your fedora-32-dvm-template should
itself be a DisposableVM , please re-read the glossary, and the page on
disposableVMs: *this* attempt is based on a misunderstanding of how
disposableVMs are created in Qubes 4.)

[Robert Spigler]

I appreciate your help.

'qvm-run dispvm=fedora-32-dvm-template --service qubes.StartApp+xterm' results in the error:

unrecognized arguments: qubes.StartApp+xterm.

I don't know if I am communicating this correctly, but I am trying to create a fedora-32-dvm, that is also itself a DVMTemplate (has the 'template_for_dvms' flag set), like I currently have for my debian-10-dvm and whonix-15-dvm.  Is this not the proper way to run DVM's?

I currently have a menu item for 'fedora-32-dvm-template', but opening any application from the menu, like Firefox for example, opens the DVMTemplate, not a DispVM.

[unman]

On Fri, Jul 17, 2020 at 09:11:16PM -0700, Robert Spigler wrote:
> I appreciate your help.
>
> 'qvm-run dispvm=fedora-32-dvm-template --service qubes.StartApp+xterm'
> results in the error:
>
> unrecognized arguments: qubes.StartApp+xterm.
>
> I don't know if I am communicating this correctly, but I am trying to
> create a fedora-32-dvm, that is also itself a DVMTemplate (has the
> 'template_for_dvms' flag set), like I currently have for my debian-10-dvm
> and whonix-15-dvm. Is this not the proper way to run DVM's?

Yes, it is, and from what you have said, that is what you have. (EXCEPT
that the flag is `template_for_dispvms` not `template_for_dvms` - is this a
typo or the root of the problem?)

> I currently have a menu item for 'fedora-32-dvm-template', but opening any
> application from the menu, like Firefox for example, opens the DVMTemplate,
> not a DispVM.
>

And this seems to be the problem - you *have* a DVMTemplate, but your
menu items continue to point to the DVMTemplate, instead of using it to
spawn a disposableVM.
In a previous post I pointed out the difference between the menu items.

The best I can suggest is that you:
`qvm-features fedora-32-dvm-template appmenus-dispvm 0`
Check the menu item.
Check (again) that you have `template_for_dispvms` flag set.
`qvm-features fedora-32-dvm-template appmenus-dispvm 1`
Check the menu item again.

If it still is not working then we can dig in to the menu items, but on
Xfce I may be struggling.

unman

[Robert Spigler]

Yes, it is, and from what you have said, that is what you have. (EXCEPT
that the flag is `template_for_dispvms` not `template_for_dvms` - is this a
typo or the root of the problem?)
 

I believe that was a typo, sorry.  I was just stating what the flag was from your first post, but you said 'template_for_dvms' there as well. How do I check the flag other than seeing if it is marked 'Yes' for 'DisposableVM Template' in Qube Manager? It is marked 'Yes', if that helps

The best I can suggest is that you:
`qvm-features fedora-32-dvm-template appmenus-dispvm 0`
Check the menu item.
Check (again) that you have `template_for_dispvms` flag set.
`qvm-features fedora-32-dvm-template appmenus-dispvm 1`
Check the menu item again.

I tried the above, and there was no difference in menu or whether or not the qube had 'Yes' marked under 'DisposableVM Template' in Qube Manager. Opening an application under the menu still opened the template, and not a disposableVM.

I don't know if this information helps or not, but for the debian-10-dvm and whonix-15-dvm, they are labeled in the menu as 'Disposable: debian-10-dvm' and 'Disposable: whonix-15-dvm' at the top.  The other is listed as 'Domain: fedora-32-dvm-template' with the rest of my AppVM's, before listing my ServiceVMs and TemplateVMs.  I am attempting to create what I had before; another 'Disposable: fedora-32-dvm' that is it's own DisposableVM Template.

[unman]

On Sat, Jul 18, 2020 at 01:11:16PM -0700, Robert Spigler wrote:
>
>
> > Yes, it is, and from what you have said, that is what you have. (EXCEPT
> > that the flag is `template_for_dispvms` not `template_for_dvms` - is this
> > a
> > typo or the root of the problem?)
> >
> >
>
> I believe that was a typo, sorry. I was just stating what the flag was
> from your first post, but you said 'template_for_dvms' there as well. How
> do I check the flag other than seeing if it is marked 'Yes' for
> 'DisposableVM Template' in Qube Manager? It is marked 'Yes', if that helps

My bad.
You can check it from dom0 terminal, using `qvm-prefs`

>
>
>
> > The best I can suggest is that you:
> > `qvm-features fedora-32-dvm-template appmenus-dispvm 0`
> > Check the menu item.
> > Check (again) that you have `template_for_dispvms` flag set.
> > `qvm-features fedora-32-dvm-template appmenus-dispvm 1`
> > Check the menu item again.
> >
> >
>
> I tried the above, and there was no difference in menu or whether or not
> the qube had 'Yes' marked under 'DisposableVM Template' in Qube Manager.
> Opening an application under the menu still opened the template, and not a
> disposableVM.
>
> I don't know if this information helps or not, but for the debian-10-dvm
> and whonix-15-dvm, they are labeled in the menu as 'Disposable:
> debian-10-dvm' and 'Disposable: whonix-15-dvm' at the top. The other is
> listed as 'Domain: fedora-32-dvm-template' with the rest of my AppVM's,
> before listing my ServiceVMs and TemplateVMs. I am attempting to create
> what I had before; another 'Disposable: fedora-32-dvm' that is it's own
> DisposableVM Template.
>

I tried this - it *did* create a Disposable menu item, and the entries
started disposableVMs.
Not much help to you, but it confirms that there is nothing inherently
wrong with the fedora-32 template.
I would delete the qube, make sure your system is fully
updated,(optionally reboot), and start again.
Dont get hung up on the terminology.
Create the qube based on the fedora-32 template, and mark it as
DisposableVM template, either in Qube Manager or at command line.

[Robert Spigler]

'qvm-prefs fedora-32-dvm-template' shows that 'template_for_dispvms' is marked as 'True' and the template is Fedora-32.

I will try fully updating, deleting, restarting, and trying again.