Persistant routes on Qubes are not persistant?!
4li11b+ehe...@guerrillamail.com
I need to add some static routes since I'm using a network with different GWs. For that reason I've tried to add some static routes through the NetworkManager which maps all the configuration into a file called qubes-uplink-eth0 . Strangely and since this file is within the private disk image, one would expect that the changes are be preserved after a reboot, unfortunately this has not been the case. Everytime there's a reboot the file gets overwritten somehow.
Does anyone know if there's a way to preserve static routes on Qubes or is this simply a limitation?
Thank you
----
Sent using GuerrillaMail.com
Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D
4lj7sp+iu...@guerrillamail.com
Does anyone knows how to set static routes persistently into the sys-firewall?
Thanks
Andrew
add these routes in /rw/config/rc.local.
I'm not sure exactly what you want to do, though, so I'm not sure this
is the appropriate advice to give... what *do* you want to do, ultimately?
Andrew
johny...@sigaint.org
>> sys-firewall?
be able to get what you want by adding and checking off the
'network-manager' service for the VM (and restarting), then configuring
the virtual interface's routes from the new additional NetworkManager Icon
that should show up.
You might be able to disable the service afterwards if you don't want the
extra taskbar icon. I think the settings should stick around even if the
NetworkManager GUI/icon isn't running.
JJ
4lpt9o+3m1...@guerrillamail.com
I've tried to add this via the NetworkManager which is what I intend, however the routes, as soon as the VM is bounced, are overwritten.
Having this into the the rc.local is not a very elegant solution since the Network Manager is suppose to handle this.
So is there a way to static add this routes via the Network Manager ensuring they are preserved at each boot?
4lpt9o+3m1...@guerrillamail.com
4m3ap1+btc...@guerrillamail.com
Does anyone knows how to achieve this on Qubes?
Thanks
johny...@sigaint.org
>
> I need to add some static routes since I'm using a network with different
> GWs. For that reason I've tried to add some static routes through the
> NetworkManager which maps all the configuration into a file called
> qubes-uplink-eth0 . Strangely and since this file is within the private
> disk image, one would expect that the changes are be preserved after a
> reboot, unfortunately this has not been the case. Everytime there's a
> reboot the file gets overwritten somehow.
> Does anyone know if there's a way to preserve static routes on Qubes or is
> this simply a limitation?
Is the symlink for /etc/NetworKManager/system-connections ->
/rw/config/NM-system-connections in place?
Is /rw/config/NM-system-connections indeed a valid directory, writable by
root, etc.? Is /rw properly mounted to /dev/xvdb? If you go into
/etc/system do you see a file for each network adapter (i.e. "Wired
Connection 1")? Is that file rw by root only? When you modify settings
in the network-manager taskbar icon, does the network's config file change
accordingly? (It's text-based, easy to view.)
I use a couple of different static network configurations through
NetworkManager, and they stick around just fine. What template are you
using?
JJ
4m4wzj+81e...@guerrillamail.com
ls /etc/NetworkManager/system-connections
131205 lrwxrwxrwx 1 root root 32 Oct 17 21:17 /etc/NetworkManager/system-connections -> /rw/config/NM-system-connections/
The /dev/xvdb is properly mounted on /rw :
/dev/xvdb on /rw type ext4 (rw,relatime,discard,data=ordered)
I don't have a /etc/system directory on my system, are you referring to the unit files?
For the sys-firewall I'm using the default template - > fedora-23
When I set the routes by hand via NetworkManager they are reflected on the qubes-uplink-eth0 file:
(...)
[ipv4]
address1=10.137.1.8/32,10.137.1.1
dns=10.137.1.1;10.137.1.254;
dns-search=
may-fail=false
method=manual
never-default=true
route1=192.168.0.0/16,10.137.1.1
route2=172.16.0.0/16,10.137.1.1
#---EOF---
The file before the sys-firewall is rebooted has the following checksum and md5sum:
2551335477 425 qubes-uplink-eth0
83b37a6b68007838efb1e9e9fbc841f4 qubes-uplink-eth0
As soon as the sys-firewall is booted the file with the NW configuration is overwritten :
[ipv4]
method=manual
may-fail=false
dns=10.137.1.1;10.137.1.254
addresses1=10.137.1.8;32;10.137.1.1
#---EOF---
As you can see the configuration was not preserved.
Therefore something is clearly overwritten the NM configuration, the problem is to know what and how to avoid it, preserving the NM config.
So in short, I cannot tell what process have been changing the NM configuration at every boot. It would be great if someone from the Qubes support would be able to shed some light on this.
4mytxq+3qz...@guerrillamail.com
Does anyone knows how to achieve this on Qubes?
----
Sent using Guerrillamail.com
4oe3ad+c69...@guerrillamail.com
I've opened this issue, that is specific to the Qubes architecture, for over a week now and so far no one was able to pinpoint to the solution or explain why static routes are being overwritten on boot.
It seems that this ML is only breathing, beacuse of the individual effort of its users. To the date, no one from the official team (https://www.qubes-os.org/team/) was able to chip in or give any answer.
This is a bad start for this project, lack of support is one of the reasons why some projects are not successful..
And to think I was about to give some donations for this project....
Adrian Rocha
Did you try adding the commands in /rw/config/qubes-firewall-user-script file, as is indicated in the documentation?
https://www.qubes-os.org/doc/qubes-firewall/
Regards
4ok80g+4fl...@guerrillamail.com
In any case, this suggestion in itself is a huge hammering. The sys-firewall shouldn't have to change the qubes-uplink-eth0 (Network Manager configuration) in the first place and that is the whole problem here.
I could have set the file with the immutable flag on, I could have created a rc.local script...etc
I could have done many workarounds, but these would be, as the name implies, workarounds. What I want to know is to know why the static routes on the NM configuration are being overwritten and how to avoid that.
So far not a single soul from the qubes project has mentioned a single word about this and this is simply unacceptable! This mailing list is been abandoned!
Point proven - all the contacts for the ML and the help section were removed from the main site. The page https://www.qubes-os.org/help/ is now redirected to https://www.qubes-os.org/doc/ .
Is this project over before it has taken off?!?
Unman
> I assume you meant to say rc.local, as this has nothing to do with iptables nor the qubes-firewall-user-script.
> In any case, this suggestion in itself is a huge hammering. The sys-firewall shouldn't have to change the qubes-uplink-eth0 (Network Manager configuration) in the first place and that is the whole problem here.
>
> I could have set the file with the immutable flag on, I could have created a rc.local script...etc
> I could have done many workarounds, but these would be, as the name implies, workarounds. What I want to know is to know why the static routes on the NM configuration are being overwritten and how to avoid that.
>
> So far not a single soul from the qubes project has mentioned a single word about this and this is simply unacceptable! This mailing list is been abandoned!
> Point proven - all the contacts for the ML and the help section were removed from the main site. The page https://www.qubes-os.org/help/ is now redirected to https://www.qubes-os.org/doc/ .
>
> Is this project over before it has taken off?!?
>
From what I can see someone replied to you pretty quickly, asking for
information and telling you that it worked for them. You dont appear to
have responded to that, or provided more information.
They pointed you to /rw/config/NM-system-connections.
So, why not respond to JJ, who tried to help you?
Set a route in NM.
Then check to see that it is reflected in
/rw/config/NM-system-connections
What template are you using?
Andrew David Wong
Hash: SHA512
On 2016-10-22 11:54, 4oe3ad+c69c7b873rbzk via qubes-users wrote:
> Unfortunately this Mialing list seems dead.
> I've opened this issue, that is specific to the Qubes architecture, for over a week now and so far no one was able to pinpoint to the solution or explain why static routes are being overwritten on boot.
>
> It seems that this ML is only breathing, beacuse of the individual effort of its users. To the date, no one from the official team (https://www.qubes-os.org/team/) was able to chip in or give any answer.
>
> This is a bad start for this project, lack of support is one of the reasons why some projects are not successful..
>
> And to think I was about to give some donations for this project....
>
https://www.qubes-os.org/mailing-lists/
I'll make a few points explicit:
1. No one owes you a reply.
2. If people don't know the answer to your question, they're very unlikely to reply. That doesn't mean your message is being ignored. It just means that no one who has had time to reply knows the answer.
3. The devs who are likely to know the answer to your question are very busy working on Qubes. They can't just drop everything to answer every question that comes across the mailing list. If they were to try, no development work would ever get done. Sometimes, they don't have time to respond to certain messages on the mailing list for days or even weeks. You have to be patient. Even then, there's no guarantee that your question will be answered, because no one here has an obligation to solve your problems for you (see point 1).
4. If you want people to help you, should (a) be polite and (b) make it as easy as possible for people to help you. Repeatedly bumping your own thread in a short period of time, then making baseless and inflammatory accusations is not very polite.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYDJR0AAoJENtN07w5UDAwEGYQALxm9h6BwXGIDX85YltU5krT
v9qE+vyRb29r2A2id63skZKkn2kueDap1RpLKMvrZJlbsoQ2QZc+wLoivSbpS5xC
0xTl2l5dMcvZP+BKr2VzqMZZ2R9VOZhC3h1mNGce29ahblCRcsX4o5/qPBMa3yky
UEd/MmZcwgdAjhE3pd1etwlPSgv8xDF3iVSj6FUz4Wj79q5n0iGllpuYRY1iqiey
1L25bOekf2KK6D7ClX20EnEyvz5RA3llJACJXW/KSpL0vDbbTIfKfVQPAa4M/Thx
IeGUFJAH9vWP7n9kWUIoStMCcaC4Xpd0f18T0r+WoIMZctZY38vlIJFGWNBZQ5EF
aFmKgBb2XS+vsR0crtmJxrkxjVP3tB1HzfqBdZv2AGyULxbliQIPWlCzyZgavq7v
VN748JhM2B3PAOzPH+juSC6AWRYqf6GppwxKtw9oD802krCeA+bw/QlqVnineaAe
1K8FIAYP+/3OoPumpozwkqx/W6X0N3N509VwMN2dhiy30zFG2MLElkQtyxOvPZJp
D8/ZRibHH33UkxLZDlFb2epdUY8GmRNCUtZsHFanFa8Ih/3U/JE72VvdDFSmTb5t
GIgGrbqx8UyU9MZI9jjoRxz8GuTanBjlH5lhCEfCXB24RtRGRLnCvty4Zyf1ygP9
SMs9zsd45nymO/9tGbiF
=epwe
-----END PGP SIGNATURE-----
Andrew David Wong
Hash: SHA512
> So far not a single soul from the qubes project has mentioned a single word about this and this is simply unacceptable! This mailing list is been abandoned!
https://www.qubes-os.org/mailing-lists/
I'll make a few points explicit:
1. No one owes you a reply.
2. If people don't know the answer to your question, they're very unlikely to reply. That doesn't mean your message is being ignored. It just means that no one who has had time to reply knows the answer.
3. The devs who are likely to know the answer to your question are very busy working on Qubes. They can't just drop everything to answer every question that comes across the mailing list. If they were to try, no development work would ever get done. Sometimes, they don't have time to respond to certain messages on the mailing list for days or even weeks. You have to be patient. Even then, there's no guarantee that your question will be answered, because no one here has an obligation to solve your problems for you (see point 1).
4. If you want people to help you, should (a) be polite and (b) make it as easy as possible for people to help you. Repeatedly bumping your own thread in a short period of time, then making baseless and inflammatory accusations is not very polite.
https://github.com/QubesOS/qubes-issues/issues/1833
https://github.com/QubesOS/qubes-issues/issues/1841
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
wcOZNy5Vh4v5XteyHg7J8hRBSm50ty0gkZ9iLpXqDTBUZA/G87VFII/KyLkkPF9D
BhQbi04ZJNDyaScxtWxhhsgByCgG7gzQYbQ7eTKEEWq7f1veCjfFgjTJ+WWwqDm8
/T1OZfWHyRI8xvuaUbUlaeGGlRFCfNkbIQy7Pe28XChPWR++nbrVoEa/XiyfLAT/
pAvuVBQhgWCChf2vYKkTa7mH/RLXk9J26WvBT3UDX0q+DEuvEdRC2XioOu1FJb/X
tJ+y0NTE931pE51QhUEtTNOD6eEK9gtp7DN3hgbssKliTol+Q09PoDknv2Ecf7AE
Pxe4/OabReJ7wCAChpIIxLISZzX81S57zjS5KBbz66Itd8es21mwj8uTuGSGHGgt
Uus3CqxG+QEnQPjP5QZQJ8xTxjqNoxr+bTiOtWzXdcqwAoshiFH2+rUs017Qjq0C
zAdxsn/mHVVOspqRM6cNLAI1MWViIFrmgmgnvBFEZXr1CMZbjb2OgolFMQOXSDOt
xD+tAbH5QOJyQ1aK/uZUYjD4BlGcKpriVvwjFmUhPJPotmy6PR6qWHE8klUGpZsR
0436mSU8U2nGg9ZKesGXk6/HwPnIO5Lpe1vDYPxjkAkjgaXm4jGvMDBTYanc+KwP
8acYlSP/TshmG9yEUwqq
=Zznw
-----END PGP SIGNATURE-----
4p3dkf+6lm...@guerrillamail.com
I didn't mean to be rude/aggressive/impolite/disrespectful in any way nor making inflammatory or baseless accusations.
So my sincere apologies for that.
Regarding the Qubes main page, I was not aware of this discussion. I was simply baffled by the lack of the 'help' section and erroneous concluded (based on this and the lack of reply from anyone from the official team) that the ML is no longer supported.
Again my apologies for that.
As for the issue it was outlined in details in this thread, (and I did respond to JJ with the detailed description of the issue, which I'm quoting below):
----
Marek Marczykowski-Górecki
Hash: SHA256
startup (or changing network options - like switching to different
netvm). I thing there was a comment about it, but indeed it isn't there
right now... Anyway, your options are:
1. Create new connection with different name and set routes there.
2. Modify routing table (or NetworkManager settings) from
/rw/config/rc.local, or /rw/config/qubes-ip-change-hook.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYDL+jAAoJENuP0xzK19csqqoIAIcN1VAv4btJWY9xPYSqLsBH
0RuD+4wew2c1cpLF8w7yp+4WKeSXTJIdztnSYen6Ic8Ce4Ugr+86br2z74O0z6+O
ic8cyDC+urVDWTzfxvX4CjHcSWV4e7OF9zNWHNKkJHHPsJKChmVR9Q9DuvXDOTG9
xkcy+pDCVc1fPrwrYc/6SvQ6q1kic44X3K6piZkJMas55eNOThRLDpqirSi/aGZQ
oSIkUpFrHDdWTWG7ULWWt+CwZOoNlt3Tr8NVuir7YHTOxSTjhqNDXsKHM7YRGdBO
w+Klxv5MuOXTmTRk3LwYkbGdHV1JxlSavY5s0I59C1NjvsFgsVpQCt1SQxGPc40=
=0wZ6
-----END PGP SIGNATURE-----
4p6c0u+8ay...@guerrillamail.com
I was not able to put this to work via the network manager,since if I opt to choose eth0 this the connection will not be activated. And create a dedicated virtual interface just for this purpose its a little overkill.
Therefore I followed your second suggestion and added the routes manually in the qubes-ip-change-hook . Although I don't think this is a very elegant solution, at least the routes were persistent added in each reboot, which solves my issue.
Thank you once again.