Template VM Hierachy?
62 views
Skip to first unread message
981'0932481'029438'0194328'0913284'0913284'09182'3
Jun 5, 2016, 12:26:14 PM6/5/16
to qubes-users
Hello,
Can I build a Template VM hierarchy?
i) If I install all apps in the same TVM, that it looks pretty the same mess like in a monolithic system
ii) If I install any app in a new HVM, than I waste lots of space.
If I take the working hypothesis, that I can define more safe and mess safe apps, I could build N TVM's for different topics and additional some dependent Template Sub-VM's, which contains more risky apps.
E.g. TVM-Hierarchy for text processing
TVM1 contains only a secure and simple text editor
TVM1-1 is based on TVM1 and contains also a simple painting tool
TVM1-1-1 is based on TVM1-1 and enables the more risky JAVA stack and OpenOffice
So only AppVM's based on TVM1-1-1 like
AVM1-1-1-1
AVM1-1-1-2
AVM1-1-1-3
AVM1-1-1-4... take the JAVA risk
but you will save the space, because TVM1-1 don't get duplicated only to build up TVM1-1-1.
Even you can update the full T-Hierarchy in the best case with one click.
Will be this possible?
And how can I reach it?
The benefit will be, that any app-code get stored and updated only once, but the risk can be limited (if a good app black- and white list exists).
Kind Regards
Marek Marczykowski-Górecki
Jun 5, 2016, 12:35:00 PM6/5/16
to 981'0932481'029438'0194328'0913284'0913284'09182'3, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
No, it isn't possible. Template VMs are done at block device level, not
filesystem level (to limit attack surface), so it isn't possible to
merge different levels.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXVFSsAAoJENuP0xzK19css0sH/0aRgjpLT7o8E5XXZZ984BnI
PTQ2iWtRErd3YhYxY8eq9tZKpT74t2YZp/HIZ8HMGnzUdgPmCUozvImGJUkcYEnl
z6LbVMtWfHh8Uk6iWdwPJgyE4qgWuHirfA0ZFNgKMSap8mUJbcmvW5xWO2KSVe5Y
ALKw/SlIdmbctmV66+Lx0LfEgTz5+Ug9HhOuSfcBqaNSyRWUepZn/VXoPWz/gI9W
0Y2nRTC24bgpv6LEEBTqgwPZDMszUEkfiq/l0n57eLPDwvcCHmqHUg2oD7ogjoEI
FWgfm0wj9UTBHGRovatwprTyLkP4+S2u1ZE2Kt0sSTBsv9i1ksDKworW3wT7oIY=
=smF3
-----END PGP SIGNATURE-----
Hash: SHA256
filesystem level (to limit attack surface), so it isn't possible to
merge different levels.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXVFSsAAoJENuP0xzK19css0sH/0aRgjpLT7o8E5XXZZ984BnI
PTQ2iWtRErd3YhYxY8eq9tZKpT74t2YZp/HIZ8HMGnzUdgPmCUozvImGJUkcYEnl
z6LbVMtWfHh8Uk6iWdwPJgyE4qgWuHirfA0ZFNgKMSap8mUJbcmvW5xWO2KSVe5Y
ALKw/SlIdmbctmV66+Lx0LfEgTz5+Ug9HhOuSfcBqaNSyRWUepZn/VXoPWz/gI9W
0Y2nRTC24bgpv6LEEBTqgwPZDMszUEkfiq/l0n57eLPDwvcCHmqHUg2oD7ogjoEI
FWgfm0wj9UTBHGRovatwprTyLkP4+S2u1ZE2Kt0sSTBsv9i1ksDKworW3wT7oIY=
=smF3
-----END PGP SIGNATURE-----
Robin Schneider
Jun 5, 2016, 12:38:59 PM6/5/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I think this would be difficult to implement. One reason for this is that when
you update TVM1 for example, the filesystem of it diverges. You would have to
do something like a three-Way Merge as known from version control systems like
git. I am not aware how this could be done.
I think your best beat is to use a COW filesystem like btrfs. This was
discussed a few days ago on this list that you can use btrfs to reflink copy
VMs. The only limitation to your scenario would be that changes in TVM1 would
not get magically merged down the hierarchy.
- --
Live long and prosper
Robin `ypid` Schneider
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXVFWhAAoJEIb9mAu/GkD4FkQP/AjH8golFQ3b5viaiWCsdeyQ
Q+e1CFwKtGZ2fDMUs7Kxo3gI1bwPGg88G0zwgl5TI+RsilcraNCeawKvGiC/JIeS
iHIMdCVKMF8JCx4ebMNaaWJUN7rOqwztsR46cf4/vmoEI1nB/NBz5NuRDeTL/9ss
HQKV8BBJppbQpmyE4OZe5ksWZbo2BO8f/+KI3JVX0qw6KgpEnkeY+V2JxW0izQUj
F2nViEj11U7EZZhkiOWA6sF3jntEavQrUD5k9l5y5z+qpFEGyoiECmQTRcAGYxIx
44WXPhD0to7PtI7ROxHEtL1eoz1aDwXVzUxGRDHDBBoDqwjt/5aI9PKpWn+fZ+Bq
K81VKCRff60xRr6yuaM4gsjY76VLKFN22RVAC1JVH6x4mxQ2bGXW3L6cHBhVtlwV
dZGN+EjMeWWpqYnSM8JIiLmDNM0JZcDQFOzoOEjZoI6n20x/uYlwVrdjeNHGetiO
ytPUJS1frJp2147mKz1SCIk169Rw9Aa1w6EK3OHDU6KvzVx05nZmjGs8BBnB3NQE
kUcYWCEvl/nDXExT5L4/8dkSiE3NJ2ENNaEhA8ZORyitzo4GqiDPM01FLssFgFzB
vkIkiBmDN+9dIzplHwLaYPIYIXyWFp16JT2g1pasmONJXo9FrxATgNzUnjsmfCap
muYORrnTiYMI2qbXDvkj
=VwNN
-----END PGP SIGNATURE-----
Hash: SHA512
you update TVM1 for example, the filesystem of it diverges. You would have to
do something like a three-Way Merge as known from version control systems like
git. I am not aware how this could be done.
I think your best beat is to use a COW filesystem like btrfs. This was
discussed a few days ago on this list that you can use btrfs to reflink copy
VMs. The only limitation to your scenario would be that changes in TVM1 would
not get magically merged down the hierarchy.
- --
Live long and prosper
Robin `ypid` Schneider
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXVFWhAAoJEIb9mAu/GkD4FkQP/AjH8golFQ3b5viaiWCsdeyQ
Q+e1CFwKtGZ2fDMUs7Kxo3gI1bwPGg88G0zwgl5TI+RsilcraNCeawKvGiC/JIeS
iHIMdCVKMF8JCx4ebMNaaWJUN7rOqwztsR46cf4/vmoEI1nB/NBz5NuRDeTL/9ss
HQKV8BBJppbQpmyE4OZe5ksWZbo2BO8f/+KI3JVX0qw6KgpEnkeY+V2JxW0izQUj
F2nViEj11U7EZZhkiOWA6sF3jntEavQrUD5k9l5y5z+qpFEGyoiECmQTRcAGYxIx
44WXPhD0to7PtI7ROxHEtL1eoz1aDwXVzUxGRDHDBBoDqwjt/5aI9PKpWn+fZ+Bq
K81VKCRff60xRr6yuaM4gsjY76VLKFN22RVAC1JVH6x4mxQ2bGXW3L6cHBhVtlwV
dZGN+EjMeWWpqYnSM8JIiLmDNM0JZcDQFOzoOEjZoI6n20x/uYlwVrdjeNHGetiO
ytPUJS1frJp2147mKz1SCIk169Rw9Aa1w6EK3OHDU6KvzVx05nZmjGs8BBnB3NQE
kUcYWCEvl/nDXExT5L4/8dkSiE3NJ2ENNaEhA8ZORyitzo4GqiDPM01FLssFgFzB
vkIkiBmDN+9dIzplHwLaYPIYIXyWFp16JT2g1pasmONJXo9FrxATgNzUnjsmfCap
muYORrnTiYMI2qbXDvkj
=VwNN
-----END PGP SIGNATURE-----
Alex
Jun 6, 2016, 2:56:49 AM6/6/16
to qubes...@googlegroups.com
> On 05.06.2016 18:26, 981'0932481'029438'0194328'0913284'0913284'09182'3 wrote:
>> Hello,
>
>> Can I build a Template VM hierarchy?
>> Hello,
>
>> Can I build a Template VM hierarchy?
> No, it isn't possible. Template VMs are done at block device level, not
> filesystem level (to limit attack surface), so it isn't possible to
> merge different levels.
[...]
> filesystem level (to limit attack surface), so it isn't possible to
> merge different levels.
> I think this would be difficult to implement. One reason for this is that when
> you update TVM1 for example, the filesystem of it diverges. You would have to
> do something like a three-Way Merge as known from version control systems like
> git. I am not aware how this could be done.
That's a deliberate architectural choice; what if there were as many
> you update TVM1 for example, the filesystem of it diverges. You would have to
> do something like a three-Way Merge as known from version control systems like
> git. I am not aware how this could be done.
virtual disks (/dev/xvdN) as the level, and the mounting was done via
something like overlayfs? This would allow for mounting from many disks
into the same directory, specifying which source would be the "lower
one" (read only) and the "upper one" (read-write), and merging directory
contents too. Any AppVM would have all the lower layers as read-only,
one above the other, and still keep /rw as the only read-write
filesystem mounted with unionfs.
This would semi-solve the update problem: you would update the cascade
of templates starting from the root, and you would have your binaries
updated. The only problem is with the installed application database
from the package manager, which would be out-of-sync in the child
templates with the actual version installed of the apps in the root
templates.
This is imho the biggest problem, not the actual technical
implementation of the overlay/union of filesystems; as long as there is
no package manager that can "discover" the actual packages installed and
needed without a separate database, or without a carefully designed
single-file-per-package-info database, this will only be an update
nightmare.
--
Alex
Reply all
Reply to author
Forward
0 new messages