help with sys-firewall based on minimal f26 template

[Ivan Mitev]

Hi,

In an effort to decrease R4's memory consumption I'm replacing the
default fedora-26 template with a customized one based on the official
minimal fedora-26 template.

I installed additional RPMs according to the documentation [1] and
everything seems to be working well, with a noticeable decrease of
memory usage. However I get the following error when opening a VM's
firewall settings gui:

"The 'work' qube is network connected to 'sys-firewall', which does not
support firewall!
You may edit the 'work' qube firewall rules, but these will not take any
effect until you connect it to a working Firewall qube."

But again, everything seems to work fine: the firewall rules are
properly enforced, there's no problem with net connectivity, the update
proxy is working, ...

There's no error message when sys-firewall is based on the default
fedora-26 template so I'm likely missing something but I don't see what.
I compared the qubes rpms installed in both templates but didn't notice
anything striking. Maybe there's a flag/preference or something that
needs to be set but I don't see where.

Any ideas ?

Thanks
Ivan

[1] https://www.qubes-os.org/doc/templates/fedora-minimal/

[Yuraeitha]

It sounds odd, it usually should work changing the template. My initial thought-line on this issue goes like this, maybe it can be of use.

Is the iptable firewall package installed in the minimal template?

I'm thinking it may be iptables that is missing, since minimal templates can be used for offline purposes too, then iptables is probably not included like most other things that has been removed.

If iptable is not enough, then my thoughts go like this instead;

- It seems very likely to me that it is a missing package and not a missing configuration. Usually swapping templates just works as long the right packages are installed, and no configuration required. So it "seems" that it is pre-configured out-of-the-box in the installed packages, for whichever package that is missing.

- If may be that Qubes don't provide firewall functionality if the existing packages work anyway. Why fix something that ain't broke? So there is a possibility you don't need the Qubes packages to fix this. If all the relevant Qubes agent's are installed, then it's probably not this causing the issue.

- If Qubes tools are installed, networking works etc, and you got iptables installed already, then my thoughts are that it's likely missing system-config-*'s and the unavoidable full array of dependencies going with it.

- Try clone the template and essentially go berserk and not holding back, install the entire system-config- array of packages, see if networking works. If not, then either something is still missing, or firewalling has nothing to do with the system-config packages.

- If it works, then try narrow down which packages that are used for firewalling, perhaps you can reduce the amount of dependency packages being pulled if you install just the package that firewall is using.

[Ivan Mitev]

iptables is installed (that's one of the first thing I checked after I
saw the error msg).


[...]

> - If Qubes tools are installed, networking works etc, and you got iptables installed already, then my thoughts are that it's likely missing system-config-*'s and the unavoidable full array of dependencies going with it.

Hmm, what are those system-config-*s you're talking about ?

> - Try clone the template and essentially go berserk and not holding back, install the entire system-config- array of packages, see if networking works. If not, then either something is still missing, or firewalling has nothing to do with the system-config packages.
>
> - If it works, then try narrow down which packages that are used for firewalling, perhaps you can reduce the amount of dependency packages being pulled if you install just the package that firewall is using.

If there aren't hardcoded changes or manual configurations made in the
default fedora-26 template then yes, installing the exact same of rpms
would in theory fix the problem. But before spending significant time on
installing a bunch of rpms and then dissecting I thought I'd ask fellow
users first... Maybe the cause is obvious and I'm overlooking something.

[Unman]

I just want to check - you say that the firewall rules are properly
enforced, and that everything works properly EXCEPT that you get a
warning.

[Ivan Mitev]

Exactly.

BTW qvm-firewall works and doesn't output any error message...

[Unman]

Yes, thought so - it's probably a bug in the gui code that checks
connected netvm status. Does it happen with every connected qube?

[Ivan Mitev]

Yes, it happens to all the vms connected to sys-firewall.

I just reverted sys-firewall's template to the default f26 and there was
no more error message, so it doesn't look like a bug in the gui,
something is likely missing in my customized template. Just have to find
what :)

[Ivan Mitev]

figured it out quickly this morning: in qubes-manager/settings.py the
error message is displayed when the template doesn't have the
'qubes-firewall' feature.

fix:

qvm-features fedora-26-minimal qubes-firewall 1

out of curiosity I tried to find where/when this feature is set for the
default fedora-26 template: there's a comment in
qubes/ext/core_features.py that says '[this feature] can be freely
enabled or disabled by template' but I don't understand what it's
supposed to mean - whether the template automatically sets it somehow
(but then how ?) or if it can be set for each template. It's probably
the latter; in that case maybe the feature is set by the template's rpm
postscripts (but then I couldn't find any mention of "qvm-features" in
the qubes-builder-fedora repo).

[Yuraeitha]

Interesting, I haven't seen qvm-feature before, isn't this quite new? But it seems like this is the kind of thing that could be used to flag Windows HVM's properly too, if the first impression of it is right.

About the system-config-*s, it's a lot of the fedora system tools that are ripped out in the minimal templates, but are in larger representation place in the regular fedora templates. For example in order to get printing to work, it's currently the default approach to install cups and system-config-printer, cups for the server service, and the system-config-printer for the backbone infrastructure. I believe system-config-'s together with XFCE4 is what makes up the overall user interface? Thinking about it, it shouldn't be able to impact firewall's which should work without any interface too on servers without a interface. Well I'm not so sure about the details. But either way this isn't important now that you found the issue and fixed it, it's just to reply back.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

See here: https://github.com/QubesOS/qubes-issues/issues/2829

In short: there is qubes.PostInstall service called just after template
installation, to let template advertise supported features. I think it
should be also called automatically after installing new packages (or
even updating existing), because that can influence supported features -
like in this case.

You can try triggering it manually. From the template call

/etc/qubes-rpc/qubes.PostInstall

Issue for tracking this problem: https://github.com/QubesOS/qubes-issues/issues/3579

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqDCiIACgkQ24/THMrX
1yzUUgf+M7K7E8HqHlVnoF3GO5wStFRagUxU9NDy3DEigJguETCTDuwqN5cf85gL
dwWUL/oKZRjFX8yug1jl+78OxH5A/4jE1+pZF2x90P1z+PwunIYl3ppVbobyVKWB
t6qCY5BIs2t6nVWRBI3QA+/ap0c7X5WK48Ep5x7QJq2GFhv4wNFZdhS/NJW/5MHf
PZI6Y5yj2pEZvZgzL1fGuTMkZSus6ePB3GVQCAvnMyv+q79KoVwielzFEcij0FrG
tLq89++Xr9+MQAn6cGJ1/SD7kZaxTx3HpqCTRvM2mOGdd+QvVgEGNOcZKzTkWO4R
SgsvsT6wep8CjSqN+7AUJ33sVC5DJQ==
=a8Yr
-----END PGP SIGNATURE-----

[Ivan Mitev]

>> fix:
>>
>> qvm-features fedora-26-minimal qubes-firewall 1
>>
>> out of curiosity I tried to find where/when this feature is set for the
>> default fedora-26 template: there's a comment in qubes/ext/core_features.py
>> that says '[this feature] can be freely enabled or disabled by template' but
>> I don't understand what it's supposed to mean - whether the template
>> automatically sets it somehow (but then how ?) or if it can be set for each
>> template. It's probably the latter; in that case maybe the feature is set by
>> the template's rpm postscripts (but then I couldn't find any mention of
>> "qvm-features" in the qubes-builder-fedora repo).
>
> See here: https://github.com/QubesOS/qubes-issues/issues/2829
>
> In short: there is qubes.PostInstall service called just after template
> installation, to let template advertise supported features. I think it
> should be also called automatically after installing new packages (or
> even updating existing), because that can influence supported features -
> like in this case.

Ah, everything makes sense now...

>
> You can try triggering it manually. From the template call
>
> /etc/qubes-rpc/qubes.PostInstall

Yep, it works.

for other people reading this thread, this amounts to:

qvm-features-request qubes-firewall=1
qvm-features-request --commit

>
> Issue for tracking this problem: https://github.com/QubesOS/qubes-issues/issues/3579

thanks !