can we have debian-minimal?

[tnt_b...@keemail.me]

hi there,

fedora minimal is great idea to have inside Qubes, i wonder why we dont have debian minimal as well inside Qubes ?

(debian-qubes has many packages which r not necessary to be installed e.g printing packages. tho, it will be nice to install the needed packages from the user pleasures not by default.)

Thanks

[Dominique St-Pierre Boucher]

This would be wonderful. I tried to create one by removing some package but not a big impact on space or memory usage.

I will follow this thread with interest!

Dominique

[Reg Tiangha]

You can create one yourself using qubes-builder (
https://github.com/QubesOS/qubes-builder ); I just did it myself a
couple of days ago, and it's great! I tried to do do a stretch-minimal
but it failed somewhere in the middle, but jessie-minimal worked fine
and I've switched all of my service vms to use that with coldkernel.
I'll probably get to creating a Thunderbird-only VM using that template
soon.

I've noticed that there have been a lot of requests for debian-minimal
templates come through; it'd be nice if one could be made and put up in
the Qubes repository (even if it was templates-community) for
convenience sake.

[tnt_b...@keemail.me]

its difficult to remove the packages inside debian-qubes , because most of the time u will end up on crashing/destroying it.

but i wonder if the developer of debian-qubes can make a minimal one , which is way better than the current one.

[cooloutac]

I still have to try this out ty.

[haaber]

> On 2017-03-19 11:38 AM, Dominique St-Pierre Boucher wrote:
>> On Sunday, March 19, 2017 at 5:51:39 AM UTC-4, tnt_b...@keemail.me wrote:
>>> hi there,
>>>
>>> fedora minimal is great idea to have inside Qubes, i wonder why we dont have debian minimal as well inside Qubes ?
>>>

> You can create one yourself using qubes-builder (
> https://github.com/QubesOS/qubes-builder ); I just did it myself a
> couple of days ago, and it's great! I tried to do do a stretch-minimal
> but it failed somewhere in the middle, but jessie-minimal worked fine
> and I've switched all of my service vms to use that with coldkernel.
> I'll probably get to creating a Thunderbird-only VM using that template
> soon.

Since I am one of the "very interested people", I followed your link. AT
first glance I do not know how to use that to get a debian-minimal.
Would you have time to explain the procedure a bit more ? That would be
really nice & helpful. You could even add a paragraph to the qubes-pages
to immortalize your effort :) Thank you, Bernhard

[cooloutac]

On Sunday, March 19, 2017 at 2:25:17 PM UTC-4, Reg Tiangha wrote:

welp my brain just melted trying to figure this out. Searching in qubes-users I just see unman telling people its easy, but can you link me to the actual instructions for building the template? apparently I;m too dumb to find them. I'm at that github page wanting to shoot myself right now. maybe i need git instructions too lol.

I've always compiled gresc on baremetal debian maybe I should just skip to coldkernel attempt? But I;ve already failed trying to compile a basic kernel in Qubes so I think I'm probably just gonna pass man. :(

[Reg Tiangha]

You can follow the Archlinux instructions, but when you get to the step
where you have to select your template, choose jessie-minimal rather
than Archlinux:

https://www.qubes-os.org/doc/building-archlinux-template/

The coldkernel instructions ( http://github.com/coldhakca/coldkernel )
for Debian templates just work; you should have no problems if you
follow them exactly. You can take the linux-image and linux-header deb
files that it makes and copy/install them on other Debian templates as well.

Compiling kernels for Qubes using qubes-linux-kernel (
https://github.com/QubesOS/qubes-linux-kernel ) can be tricky. Upgrading
the 4.4 version of the kernel works well; I just did it a few days ago
to upgrade the dom0 kernel 4.4.54. All you had to do was switch into the
4.4 branch (git checkout stable-4.4) and then change the text in the
version file to download the latest version (today, it's 4.4.55) and
then run make rpms (one of the patches will fail because it's already
been integrated into the kernel code, so you can just delete the one
that fails in series.conf; I don't remember which one off the top of my
head). If you want to do a newer kernel (ex. 4.9 or 4.10), it's a bit
more involved. I just compiled 4.10.4 for dom0 and it's running fine,
but you have modify the xen and rpmify patches in their various patch
directories to work with the new kernel. It's not hard; they all still
work, it's just that their locations are different so the patches need
to be updated and that's the part that takes a bit of work. I don't have
time to write a how-to for that though, but for those who are wondering,
it *is* possible to run kernels newer than 4.4 using the Qubes build
scripts.

[Reg Tiangha]

> files that it makes and copy/install them on other Debian templates as well..

>
> Compiling kernels for Qubes using qubes-linux-kernel (
> https://github.com/QubesOS/qubes-linux-kernel ) can be tricky. Upgrading
> the 4.4 version of the kernel works well; I just did it a few days ago
> to upgrade the dom0 kernel 4.4.54. All you had to do was switch into the
> 4.4 branch (git checkout stable-4.4) and then change the text in the
> version file to download the latest version (today, it's 4.4.55) and
> then run make rpms (one of the patches will fail because it's already
> been integrated into the kernel code, so you can just delete the one
> that fails in series.conf; I don't remember which one off the top of my
> head). If you want to do a newer kernel (ex. 4.9 or 4.10), it's a bit
> more involved. I just compiled 4.10.4 for dom0 and it's running fine,
> but you have modify the xen and rpmify patches in their various patch
> directories to work with the new kernel. It's not hard; they all still
> work, it's just that their locations are different so the patches need
> to be updated and that's the part that takes a bit of work. I don't have
> time to write a how-to for that though, but for those who are wondering,
> it *is* possible to run kernels newer than 4.4 using the Qubes build
> scripts.
>

Oh, one more thing: If you were thinking about trying to compile a
kernel newer than 4.4, use @marmarek's repository at
https://github.com/marmarek/qubes-linux-kernel and run git checkout
devel-4.8 and work off of that. In fact, you can probably just sub in
4.8.17 in the version file to get the last 4.8 kernel and it should just
work (I can't remember if I had to make any other modifications on top
of that; I don't think I did). It should be easier to migrate up to 4.9
or 4.10 off of that repository, rather than the master Qubes repository
that only goes as high as 4.4.

[Unman]

I hadn't realised that there wasn't one in the repository.
We'll fix this.

In the meantime it is fairly simple to build one yourself, as Reg says.
The instructions are at www.qubes-os.org/doc/qubes-builder/

If they look intimidating, dont be put off for the build.
In the new template install the packages you need:
sudo dnf install gpg git createrepo rpm-build make wget rpmdevtools python-sh dialog rpm-sign dpkg-dev debootstrap PyYAML:
Close down the template.
Create a qube based on that template: doesn't hurt to give it some extra
space in private storage

Start the new qube.
Clone the build repository:
'git clone git://github.com/QubesOS/qubes-builder.git qubes-builder '
'cd qubes-builder '

Run the setup file:
'./setup'

Follow the defaults for the first three screens, and then select the
builder-debian plugin on the 4th, Builder plugin screen.
Select YES to download sources

On the template selection page deselect fc23 and select jessie+minimal.

Then build the template:
'make qubes-vm'
'make template'

You will have to copy the template in to dom0 but there is a handy
script at the end of the build log to help you do this.


The build logs are in the build-logs directory.
You can also turn on verbose output by putting VERBOSE=1 in builder.conf
file instead of VERBOSE=0.

If you like to mess around with the build, the relevant bits are in
qubes-src/builder-debian/template_debian. That's where the package lists
are.

If you're going to do this more than once I would strongly recommend
use of a caching proxy - it will save you a huge amount of time and
bandwidth.

unman

[cooloutac]

Thanks.

[Vít Šesták]

Well, you have simplified it too much. It seems to be basically equivalent to curl http://… | sudo bash. (AFAIK, there is no authentication when using git:// URL.) The signature verification mentioned on the page is there for a reason – you should not run the code without knowing it has not been altered.

It would be even better to use either https;// URL or SSH URL, as they authenticate the transport. This can somehow mitigate attacker providing you an old version with known vulnerabilities.

Regards,
Vít Šesták 'v6ak'

[Dominique St-Pierre Boucher]

I was able to build a jessie minimal template but not a stretch one. So I decided to clone it and upgrade the template. I ran into a lot of issues with that. The way I was able to finally do it was to enable the qubes-testing repo for stretch before the updgrade and doing the upgrade from the console (sudo xl console [vm_name]).

Now I have a working jessie and stretch template.

I have to do it again on my other qubes computer. I will try to post a step-by-step how to!!!

Dominique

The build for stretch di

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/19/2017 07:49 PM, tnt_b...@keemail.me wrote:
> its difficult to remove the packages inside debian-qubes , because
> most of the time u will end up on crashing/destroying it.

I just played a little and removed a lot of packages from the current
debian-8 template:

amd64-microcode aspell aspell-en bsd-mailx colord colord-data
cryptsetup cryptsetup-bin cups cups-browsed cups-client cups-common
cups-core-drivers cups-daemon cups-filters cups-filters-core-drivers
cups-pk-helper cups-ppdc cups-server-common dmidecode dnsmasq-base
dns-root-data docutils-doc doc-debian dosfstools eject emacs emacs24
emacs24-bin-common emacs24-common enchant evince evince-common
exfat-fuse exfat-utils exim4 exim4-base exim4-config
exim4-daemon-light firefox-esr firmware-linux firmware-linux-free
firmware-linux-nonfree ftp gdisk gedit gedit-common gnome-sushi
gnome-user-guide gstreamer1.0-libav:amd64
gstreamer1.0-plugins-base:amd64 gstreamer1.0-plugins-good:amd64
gstreamer1.0-x:amd64 hwdata i965-va-driver:amd64 icedove
iceowl-extension iceweasel info intel-microcode iucode-tool keepassx
man-db mutt nano nautilus nfs-common printer-driver-gutenprint
procmail qubes-img-converter qubes-pdf-converter qubes-thunderbird
reportbug rpcbind rsyslog sane-utils system-config-printer
system-config-printer-udev tasksel tasksel-data upower usbmuxd
usbutils usb-modeswitch usb-modeswitch-data va-driver-all:amd64
vdpau-va-driver:amd64 w3m wamerican yelp yelp-xsl

After removed (sudo dpkg --purge ) those let's run:
sudo apt-get autoremove

The result still contains more than the must have packages, but I not
purged the ones I actually need:
NetVM and FirewallVM related packages, vim, gnome-terminal and
standard networking tools

Of course it will not save disk space unless you free it using:
qvm-trim-template (from dom0)


Now my debian template is much closer to fedora-minimal - while still
booting and working :)


- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJY/058AAoJEH7adOMCkunmlTkP/jpnhbBHDzAIqG1bCv+wMSqP
/GmuiDv5sMqe4tUOu1ONv+ccJ+Z2y5OB1WkyGcqNkw703hws9KRE8zcdAeM4kCsX
JpUeFKi/5pfkeMuWbRLPbnwyr0Vnycq3IkeXWuMse87LfkEc9poGuXBegMXloZlL
ikzvZM7dOKzvPtllBY7EVkRBWPy+p3WIdhPhEuGpKMZfI4oZFAqHlGpP6uTXNAJT
16oJYU4gfxlKmx2Rziv3MuGK1HAToETgu1sIVuVmjJVRH7Hk47PrWnefAem6A1T+
ApEKY/0NIp6kAvnVHvIf8FUTdZbatixBZIA/CSYXKdiTT3IGcEspQ/t+q5y8EQI/
bFEcA9I6ECfxyBe8v5oFsqQDt35FQg4rmQ7azpmi7pb+ploBtbS7s+zGxbmvEBTz
TR9MhPOC8thD+qjXi0NjONu6/VgSiTZDAXAvxXSRhO6sGsychuuXwoe8Ev79lmVc
I1/d+TOyHEBdaJIFlfJwn8PmQvcN+C83JvA/P9xAXQJIQIqChjAAmL8tjvBLxobf
G7y70nnfTQtxePIUQY0rN+CR7jmKilF1GM2co4k6/Wv4mVT+EumajMKt3DDiSeMQ
KVdMf66ZI8I17mk9nZzwzQkjnb4DT+Tc9aZu/gD0SPRtrgewWIs9Xprz+3qOjDEW
xV0r1/LxYl7o+t0XkSKA
=0Z77
-----END PGP SIGNATURE-----

[u+q...@bestemt.no]

Dominique St-Pierre Boucher <domin...@gmail.com> [2017-03-23 14:54
+0100]:

> I was able to build a jessie minimal template but not a stretch one.
> So I decided to clone it and upgrade the template. I ran into a lot of
> issues with that. The way I was able to finally do it was to enable
> the qubes-testing repo for stretch before the updgrade and doing the
> upgrade from the console (sudo xl console [vm_name]).

I also was not able to build a stretch-minimal template, only
jessie-minimal. (I did not try to build any of the regular templates.)

Notes:

When updating jessie-minimal to unstable, you have to select the Qubes
testing repository; the Qubes unstable repository does not exist.

When you update, be careful with apt-get dist-upgrade; it will remove
qubes-gui-agent, among others. I don't know if apt-get upgrade will
result in a full upgrade to debian unstable, but at least it will not
remove any of the essential qubes packages.

There are detailed instructions for building an Archlinux template:
https://www.qubes-os.org/doc/building-archlinux-template/ . Follow them,
replacing Arch with Debian.

Do the building in a fedora-23 template. I can personally confirm that
using a fedora-24-minimal or fedora-25-minimal template causes a lot of
problems. If I had done it like that from the beginning, I probably
could have followed Unman's instructions without problem. (Thanks, by
the way!)

--
ubestemt

[Unman]

You should be able to build a stretch template from qubes builder.
The only issue comes with actually building the template - the packages
all build fine.

The issue here is that make template fails because of permissions set
on /tmp in the prepared_image.
If you have started 'make template' and the build fails, then you
should:
cd qubes-src/linux-template-builder/prepared_images
sudo mount stretch-minimal.img /mnt
sudo chmod 777 /mnt/tmp
sudo umount /mnt
cd ../../.. (back to qubes-builder)
make template

The second invocation will work and you will have a shiny stretch
template at the end.
(NB the permissions will remain as 777 on /tmp in the template and
therefore in all qubes based on it. You can change this should you
wish.)

unman

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 4/25/17 3:26 PM, Zrubi wrote:
> I just played a little and removed a lot of packages from the
> current debian-8 template:

...

> Now my debian template is much closer to fedora-minimal - while
> still booting and working :)

I just did the same with the debian-9 template.
Why?
because less packages, mean less:
- - disk space used,
- - frequent updates,
- - less reboot,
- - less interruption.

As I can't write an error prone guide, I just attached the final
remaining packages in my debian-9-minimal template.

I'm using it for sys-net, sys-firewall, and several VPN VMs.
(with 1 CPU, and 300-512 assigned RAM, depends on the needs)

How to get there:
Clone your working template before ruining it!

compare this list with the output of:
dpkg -l
in your own template, and remove the differences.


I'm sharing it just for the record.
and in a hope that it may help others.


Do it at your own risk ;)

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlwmv6IACgkQVjGlenYH
FQ1igA//e7rcaBM7BR26lLKnGF51YfdlzzoR0BxEfX5InRMUHP2Xh7Iy9MvSJBVH
vYFVhMN6yeGFP7/WnAO/mBaUX8+jvmVK6BleMLnHfqB2T406RQm7Lylq1YzQ8KmM
96EowmIxn+MmgyRFxw272lleA7nitDbeQ9fsS9f0Ie6QWBQ+T6rRWOTJjL3ie5IL
HJk3zLX1OYV53y9XHFIOk4yOqXhnI1zduUhFxF8Yz95X1EWtp7Zfsrt+QKS0DLB5
r7aThww5Uv0WRbD/PYUXHc/RyWFZbVcsytjMpT7Sig609/jAVgnUgsOq06WvxIhD
cldMxAdTn/KZ4JPQhlrGHpUVRxbGBZJ7xVmYnu6YpuifO3IaRHBYMP6cYZyt5xZC
e/FZcovBRj1Iqed0HITU0nshpKXDnC5m/yZy+QmAnIX77mToo7bVUiukswDfAYp0
0wXD81RX41C9ByctcMKBBEoddOpWwsCtVLLLEryWQ/f5iytYZeWxyOmubnZOGtA0
w7I5nx+sOupJH0dywwnI+gWATrF+tomBosURoWCSJKbbgG93NPX1jG7w50YWzdUU
Zw9YTAMG/0pTOnxNePukcMM2efdkLovGMwu+yQTLowvX6OzKENozD+4QIxX9Pk83
KBVzZt/iyGPXwECiv55ENB8pa5+2ouGcOYJfcXWX84wdg/dab3s=
=flYd
-----END PGP SIGNATURE-----