Installing/updating apps in a TemplateVM
89 views
Skip to first unread message
outdoo...@gmail.com
Sep 27, 2018, 6:58:39 PM9/27/18
to qubes-users
I've just installed Qubes OS 4.0 on my old laptop to get the hang of it before I (hopefully) make my leap over from Windows!
I wanted to install some new software in the personal and work domains so I went to the "Qubes Menu -> Template: fedora-26 -> fedora-26: Software" and clicked the Install button for an app however it only ever displayed pending. I opened up the Qubes Manager and noticed that no NetVM was assigned to any of the templates. I opened the settings and assigned it sys-firewall which then allowed me to install programs.
On the https://www.qubes-os.org/doc/software-update-vm/ page under "Notes on trusting your TemplateVM(s)" heading it says:
"Only install packages from trusted sources – e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and we expect that at least the package’s installation scripts are not malicious. This is enforced by default (at the firewall VM level), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos."
This no longer seems the case in Qubes OS 4.0 - no NetVM is attached to the TemplateVMs and no default firewall rules. Okay, onto the questions:
1) Have these defaults been missed out from the Qubes OS 4.0 install?
2) Or is the documentation out of date and it's now recommended to do something else?
3) How should I go about installing/updating apps in the TemplateVMs?
3a) permanently attach sys-firewall and create firewall rules to only allow trusted repos as the docs currently suggest
3b) or only attach sys-firewall when updating/installing and disconnect afterwards?
Thanks! =)
I wanted to install some new software in the personal and work domains so I went to the "Qubes Menu -> Template: fedora-26 -> fedora-26: Software" and clicked the Install button for an app however it only ever displayed pending. I opened up the Qubes Manager and noticed that no NetVM was assigned to any of the templates. I opened the settings and assigned it sys-firewall which then allowed me to install programs.
On the https://www.qubes-os.org/doc/software-update-vm/ page under "Notes on trusting your TemplateVM(s)" heading it says:
"Only install packages from trusted sources – e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and we expect that at least the package’s installation scripts are not malicious. This is enforced by default (at the firewall VM level), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos."
This no longer seems the case in Qubes OS 4.0 - no NetVM is attached to the TemplateVMs and no default firewall rules. Okay, onto the questions:
1) Have these defaults been missed out from the Qubes OS 4.0 install?
2) Or is the documentation out of date and it's now recommended to do something else?
3) How should I go about installing/updating apps in the TemplateVMs?
3a) permanently attach sys-firewall and create firewall rules to only allow trusted repos as the docs currently suggest
3b) or only attach sys-firewall when updating/installing and disconnect afterwards?
Thanks! =)
awokd
Sep 28, 2018, 1:09:49 AM9/28/18
to qubes...@googlegroups.com
outdoo...@gmail.com:
"Software" application to install apps in templates. You should leave
NetVM on (none) on the templates and instead use dnf on Fedora or apt on
Debian.
unman
Sep 28, 2018, 5:48:19 AM9/28/18
to qubes...@googlegroups.com
1. The mechanism has changed in Qubes 4.0, so the old defaults no longer
apply.
Instead of using restricted access to a netvm, in Qubes 4.0 the update
proxy is reached by qrexec calls. This provides better insulation for
the template.
You should not attach a TemplateVM to a netVM.
2. The docs should be clarified.
3. Open a terminal in the TemplateVM and run 'sudo dnf' or appropriate
package manager, as awokd says.
3a. For reason above do not do this in Qubes 4.0
3b. For reason above do not do this in Qubes 4.0
If you want to install software not already packaged, then download (and
verify) it in a online qube and qvm-move it to the TemplateVM. Be aware
of the additional risks involved.
unman
OutdoorAcorn
Sep 28, 2018, 6:15:23 AM9/28/18
to qubes-users
On Friday, 28 September 2018 10:48:19 UTC+1, unman wrote:
> On Fri, Sep 28, 2018 at 05:09:22AM +0000, 'awokd' via qubes-users wrote:
> >
> >
> > OutdoorAcorn:
> On Fri, Sep 28, 2018 at 05:09:22AM +0000, 'awokd' via qubes-users wrote:
> >
> >
If you can't install apps via the "Software" gui app how come it is listed in "Qubes Menu -> Template: fedora-26"? It seems like this is just going to lead newbies like myself down a dead end.
You could go as far to say that the "Software" app isn't useful and should be removed. It can only be used in an AppVM or DVM (with an attached NetVM) and in the case of the AppVM the installed app would be removed on reboot.
Thanks again for clearing this up for me.
=)
unman
Sep 28, 2018, 8:02:24 AM9/28/18
to qubes-users
work. The proxy use is set in dnf config and it would be surprising if
the GUI program didn't honour that.
Certainly in Debian based Ubuntu all the dpkg based package managers use
the same config settings and honour the proxy.
unman
Sep 28, 2018, 8:56:44 AM9/28/18
to qubes-users
There is a suggestion that setting ProxyHTTP in
/etc/PackageKit/PackageKit.conf may fix this, and Qubes does that by
default, but it doesnt seem to work.
I'm not a Fedora user (or Gnome really), but maybe someone else has
suggestion?
unman
Sep 28, 2018, 9:14:55 AM9/28/18
to qubes-users
outdoo...@gmail.com
Oct 4, 2018, 10:44:17 AM10/4/18
to qubes-users
I'll see if I can find some time to create a PR to update the documentation.
=)
Reply all
Reply to author
Forward
0 new messages