Upgrading/creating "special" VMs (sys-net, vault, etc)

77 views
Skip to first unread message

Dan Krol

unread,
Jan 20, 2020, 4:13:05 PM1/20/20
to qubes-users
Hello,

I was wondering if there are guides in the docs that I missed which describe proper creation/upgrades of "special" VMs (sys-net, sys-firewall, and possibly vault). The closest things I found were these, both of which seem to be for more advanced use cases:


For instance, I preferred Debian for my vault. I created a new VM with a black lock icon and no network connectivity. Other than chosen OS, the config looks identical to the out-of-the-box vault VM. Is that all I need? (From a brief look, the salt files seem to imply that it is)

Similar question for getting my sys-net and sys-firewall onto fedora30 (current ones on fedora29). Should I:

* Simply change the TemplateVM on existing sys vms to fedora30, and expect it to automagically work after restart?
* Create new fedora30 based VMs, checking certain settings ("provides network", maybe others)?
* Use Salt to configure new ones from scratch?

Thanks in advance,

-Dan

shroobi

unread,
Jan 21, 2020, 7:45:05 AM1/21/20
to qubes...@googlegroups.com
> Hello,
>
> I was wondering if there are guides in the docs that I missed which
> describe proper creation/upgrades of "special" VMs (sys-net, sys-firewall,
> and possibly vault). I preferred Debian for my vault. I created a new VM with a
> black lock icon and no network connectivity. Other than chosen OS, the
> config looks identical to the out-of-the-box vault VM. Is that all I need?
> (From a brief look, the salt files seem to imply that it is)
>
"Vault" VMs have no network access, besides that there is nothing special about
them. You might like to customize its template, though. For instance, multimedia use.
>
> Similar question for getting my sys-net and sys-firewall onto fedora30
The packages that sys-net and sys-firewall need to function are included in templates,
except for the minimal templates. That's why the guides mention them specifically.
Provide sys-net with a device and make sure that they provide networking to the next qube
in line. Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. If
you plan to incorporate whonix into your configuration (with a DispVM and as the
UpdateVM) then I recommend that you use salt to create everything it needs.

Dan Krol

unread,
Jan 21, 2020, 2:04:39 PM1/21/20
to shroobi, qubes-users
So to clarify:

> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled.

When you say "need it enabled", you're just referring again to "provides network", is that correct?

And secondly: Do I understand correctly so long as any qube sits in between two other qubes in the networking chain, it automatically acts as a basic firewall? That's all that sys-firewall is?

Thanks again!

-Dan


--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4827Xt5j9gz9rxX%40submission02.posteo.de.

shroobi

unread,
Jan 21, 2020, 3:34:24 PM1/21/20
to qubes...@googlegroups.com
> So to clarify:
>
> > Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled.
>
> When you say "need it enabled", you're just referring again to "provides
> network", is that correct?
>
Yes.
> And secondly: Do I understand correctly so long as any qube sits in between
> two other qubes in the networking chain, it automatically acts as a basic
> firewall? That's all that sys-firewall is?
>
> Thanks again!
I don't know. You can compare iptables rules between your VMs to find out.

You're welcome.

BTW, this mailing list prefers users to reply below the previous message.

Claudia

unread,
Jan 21, 2020, 10:09:39 PM1/21/20
to Dan Krol, shroobi, qubes-users
January 21, 2020 7:04 PM, "Dan Krol" <orbl...@gmail.com> wrote:

> So to clarify:
>
>> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled.
>
> When you say "need it enabled", you're just referring again to "provides network", is that correct?
>
> And secondly: Do I understand correctly so long as any qube sits in between two other qubes in the
> networking chain, it automatically acts as a basic firewall? That's all that sys-firewall is?

From what I understand, sys-firewall is special in that it dynamically changes firewall rules for different VMs. That's where the firewall rules in the VM Settings GUI and qvm-firewall are applied. If you just create a new blank VM in place of sys-firewall, you can set up static firewall rules, but it won't by default know how to do any of the dynamic / user-defined rule stuff.

unman

unread,
Jan 22, 2020, 7:21:34 AM1/22/20
to qubes-users
This isn't quite true - there's nothing special about sys-firewall. *Any* qube
which provides network (and has relevant packages installed) will
provide dynamic firewall. If you use the full templates it will work
automatically.

Claudia

unread,
Jan 22, 2020, 8:36:51 AM1/22/20
to unman, qubes-users

Ohhhh, so that's what "provides network" means? Now it's starting to make sense. Thanks for clarifying.

Is there anything special about any VMs, other than:
dom0: obviously
debian-10, fedora-30, whonix-{ws,gw}-15: install path is controlled by rpm, i.e. reinstalling the package would overwrite the templateVM image - unlike a user-created or cloned TemplateVM
sys-net: provides network, assigned PCI network devices by default, clocksyncd service
sys-usb: assigned USB controllers by default
sys-firewall: provides network, netVM=sys-net (as opposed to the global default of sys-firewall or sys-whonix)
sys-whonix: provides network, netVM=sys-firewall (as opposed to the global default of sys-whonix in some installations)

So in other words, you could delete any of these, and then just make a new VM with the same template and the same VM settings, and it would function just like the original, without any modifications inside the VM itself?

I've heard that recreating a broken sys-net for example is not that simple, so I assumed there was something special about the sys-* VMs (or at least sys-net). Is that not actually the case?

awokd

unread,
Jan 23, 2020, 11:14:12 AM1/23/20
to qubes...@googlegroups.com
Claudia:

> Is there anything special about any VMs, other than:

> sys-net: provides network, assigned PCI network devices by default, clocksyncd service
> sys-usb: assigned USB controllers by default

These two need to be HVMs vs. the default PVH to support PCI
passthrough, which mean several additional requirements like memory
balancing disabled, etc.

> sys-firewall: provides network, netVM=sys-net (as opposed to the global default of sys-firewall or sys-whonix)
> sys-whonix: provides network, netVM=sys-firewall (as opposed to the global default of sys-whonix in some installations)

It is best to use the Salt commands to recreate *whonix*. They do some
additional steps with qvm-features. The Salt commands are plaintext and
somewhat human readable, so you can see what they do.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
Reply all
Reply to author
Forward
0 new messages