This approach is actually quite nice. I have never used bind-dirs though. How would I go about this? Symlink from /usr/bin to the homedir of the VM, or how?
I actually already open all links in disposable VMs, unless of course it is something that I use/trust. So that part of the equation is solved :)
> > * I will probably create a standalone VM based off of 'trusted' that I use
> > for development. So I will install stuff like docker, golang, and all
> > other
> > stuff I would otherwise use for developing.
>
> I may be wrong, but all those development tools are open source and likely
> shipped by your distro. In which case I wonder what the benefit is to putting
> them into its own VM?
I may use libs that I haven't neccessarily looked through, or have no idea where originate from. Also, this VM will need to communicate more extensively with the Internet, as I make web utils or other stuff. I would prefer having this VM isolated at any rate :)
> In short, maybe the simplest way is to create;
>
> * TemplateVM: debian9
> * Work AppVM based on debian9
> * Untrusted AppVM based on debian9, adds untrusted apps using binds
> * any other AppVMs you need... All based on the same debian9 template.
>
> > NOTE: I use zsh with oh my zsh and spacemacs. Both of which are git repos
> > that are cloned to the homedir of the user (meaning they are git repos
> > cloned to /etc/skel)
>
> Using /etc/skel just causes the data to be copied to the appvm homedir on
> first start.
> You end up duplicating the data anyway, maybe you can use a different way to
> copy everthing between VM homedirs.
> Notice that you can just do a qvm-copy [dir] which copies recursively.
But it's fine by me if it only happens once. That means I just need to setup the template exactly the way I want, before I create AppVMs. I'd rather clone the repos and copy my settings files, .ssh, and other config/setup stuff in my template once, than doing it for all AppVMs.
Thanks again for your help Tom :)
I still need assistance with the initial start up of sys-net and sys-firewall though :(
Okay, so I found the documentation for bind-dirs (https://www.qubes-os.org/doc/bind-dirs/), but was still wondering if you meant binding the AppVMs /usr/bin and /usr/local/bin, or was thinking of something else?
I would assume I need to bind all dirs that a given application is going to write to (such as potentionally /usr/share, /var/lib, etc).
Any thoughts?
Can anything be done to fix this?
I can't seem to find a solution in that issue, other than core components being updated.
It's fine with me if there aren't any workarounds btw. Just wondering :)