++ OK actually now I recall the lines, seems I had Not enter the 3rd
line accurately
> These are the same dom0 changes described in the doc page:
>
https://www.qubes-os.org/doc/vm-sudo/
>
> BTW, if you don't remember seeing the dom0 instructions then something
> might have gone wrong in the installer.
>
>>
>>
>> 2) please disregard what I said about Fedora, my mistype of
>> 'vm-protect-etc", and my 1st status report, when I was still trying
>> things out.
>>
>> 3) so no service needs to be added to either the Deb-9 template, NOR
>> any AppVMs based on the template?
>> a) installing howto says to "specify one of the services for your
>> VMs"
>
> I didn't say that. I said that specifying the Qubes services isn't
> necessary for the template; it doesn't affect whether or not the
> template-based VMs use those services.
>
>>
>> 4) Seems that it also breaks any appVMs using other Templates where
>> the script wasn't installed
>
> No, it wouldn't do that.
++so does this mean that the VMHardening must be installed in all
template VMs that will be used ? ( and if that were the case then one
would not be able to use both Fed-30 and Deb-9 on the machine, secondary
to the step 3 variance in methods to remove passwordless root ?
++further is it the case that ANY appVM must add at least the
vm-boot-protect as a service to start ; eg. sys-vpn sys-firewall
sys-whonix anon-whonix
+ its Just your saying in your write up that the vm-boot-protect-ROOT
may/may not work in those
+ but again don't expect any appVM to work w/o the VMBP service
present, nor any appVM *not using the template where QVMH has been
installed ?
ATM: per the howto, I've no manually started service in the VMBP Deb-9
Template , however
re:
"The sys-net VM should work 'out of the box' with the
vm-boot-protect-root service via the included whitelist file. Additional
network VMs may require configuration, such as cp sys-net.whitelist
sys-net2.whitelist."
I engaged the VMBP-root in the sys-net restarted, have it connected by
ETH cable on a Thinkpad T5xx-series but no internet
I did in default/vms sys-net.whitelist and did the cp command as
above then re-ran the install script as sh ./install in deb-9
template closed deb-9 and restarted sys-net
ethernet now works! *BUT importantly for a laptop not the wifi (which
worked fine pre_VMBP)
lastly, I can update deb-9 template via the default-mgmt-dvm widget,
but not directly in the deb-9 xterm via apt-get update, is that too
be expected ? as I was saying, seems to me, there are times, when one
needs to apt-get dist-upgrade that the DVM widget doesn't do
PS:
---
I seemed to have gotten it closer in sys-usb using VMBP (no -root) on
starting the AppVM I see a popup window saying :
FIRST BOOT volume initialization Please Restart
private volume is located at /dev/badxvdb
which appears to be the last bulletpoint on your github writeup,
however restarting the sys-usb does not fix , see the same popup window.
I removed my usb mouse dongle, and the error message changed to
Mount failed: BAD private volume!
so looks to break the auto-mounting of the usb mouse to sys-usb so at
root@dom0 and user@dom0 I tried
qvm-usb attach sys-usb sys-usb:1-1.2
but device attach failed:
---
so thx for tool, support, think this is for folks whom know how to use
linux :)