Disable sys-net autostart?
236 views
Skip to first unread message
Slideshowbob
Feb 23, 2017, 1:13:46 PM2/23/17
to qubes...@googlegroups.com
Hi,
is there a way to disable autostart for sys-net? Unticking the checkbox (including VMs which might trigger a sys-net start) doesn't work. Also, what are the security implications of doing this? Would network devices not in use by sys-net appear in dom0?
I'm trying to upgrade from 3.1 to 3.2 since the first RCs but the new version somehow behaves bat shit crazy on my system (6440HQ, I/O MMU and HAP/SLAT active on 3.1). As this is my main system and support for 3.1 comes to an end soon I finally need to find a solution somehow.
I was able to install und boot 3.2 by not creating the standard VMs in the post installer setup tool. I created the sys-net VM manually and was able to start/stop it without issues.
Since I created the net VM I'm unable to boot anymore. It hangs during the sys-net startup. The error message I get after a few minutes is:
BUG: soft lockup - CPU#1 stuck for 22s! [libvirtd:1769]
Anyone knows how to debug or fix this? The VM worked fine when started after the system was fully booted, it just fails if started during booting.
Greets,
slideshowbob
Sent with ProtonMail Secure Email.
Unman
Feb 23, 2017, 8:16:32 PM2/23/17
to Slideshowbob, qubes...@googlegroups.com
The simplest solution is to disable the auto start in
/etc/systemd/system/qubes-netvm.service - you can edit the file or
disable the service. If you do make sure that you aren't starting any
other qubes that rely on sys-net. (That would include your clockVM.)
That way at least your Qubes will start up and then you can start the
individual qubes.
If you cant boot at all, you should be able to boot from a live distro,
mount the drive and edit that file in place.
Hope this helps
unman
Slideshowbob
Feb 24, 2017, 1:45:32 PM2/24/17
to qubes...@googlegroups.com
-------- Original Message --------
Subject: Re: [qubes-users] Disable sys-net autostart?Local Time: February 24, 2017 2:16 AMUTC Time: February 24, 2017 1:16 AMTo: Slideshowbob <slides...@protonmail.ch>
Thanks for your response!
Would the hardware assigned to the net VM gain access to dom0 by disabling autostart?
I've got some noobish questions about that part of the security concept, maybe someone could explain that:
Is a pci device in dom0 able to do bad stuff if there's no driver loaded in dom0 using the device (I'd assume yes)?
How is dom0 protected from malicious pci devices during the time frame between starting xen and starting the related net VM?
I just noticed that lspci (in dom0, v3.1) shows the device which is currently assigned to my running net VM. Is that supposed to be the case? Are there xen commands to show which pci devices are actually active and which VMs they're assigned to?
While writing this I noticed there's 'xl pci-assignable-list'. Are those the currently non active pci devices?
On a side note, I'm currently still on 3.1, the 3.2 installation is on a usb stick for testing purposes. I want to solve all issues before I make the switch (can't have the main system in a broken state for long). Some time ago I made a regular 3.2 installation to hard disk and had the same issue so I assume it's not related to the usb installation.
slideshowbob
Oleg Artemiev
Feb 24, 2017, 6:30:39 PM2/24/17
to Unman, Slideshowbob, qubes...@googlegroups.com
Just asked the same question and then found this thread. %)Thanks for
answer. Could you be so kind to provide more details:
>> Since I created the net VM I'm unable to boot anymore. It hangs during the sys-net startup. The error message I get after a few minutes is:
>> BUG: soft lockup - CPU#1 stuck for 22s! [libvirtd:1769]
>> Anyone knows how to debug or fix this? The VM worked fine when started after the system was fully booted, it just fails if started during booting.
Is it possible to have something like "ask user" ?
Some times it's not good to have networking, but at the same time I'd
like to start other VMs that have this VM as net VM.
> If you do make sure that you aren't starting any
> other qubes that rely on sys-net. (That would include your clockVM.)
Could you point to a paper in dox that we should review to get a
deeper understanding of VM chains?
I mean that some times I would like to override default start
procedure - how can I get this?
Is there any alternative to get into single mode and play with VM prefs?
Why the auto-start preference ingored by boot sequence - because OS
needs a clock VM?
--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/
answer. Could you be so kind to provide more details:
>> Since I created the net VM I'm unable to boot anymore. It hangs during the sys-net startup. The error message I get after a few minutes is:
>> BUG: soft lockup - CPU#1 stuck for 22s! [libvirtd:1769]
>> Anyone knows how to debug or fix this? The VM worked fine when started after the system was fully booted, it just fails if started during booting.
> There are a couple of open issues about this autostart issue.
> The simplest solution is to disable the auto start in
> /etc/systemd/system/qubes-netvm.service - you can edit the file or
> disable the service.
Netvm is autostarted by other qubes it is assigned to.
> The simplest solution is to disable the auto start in
> /etc/systemd/system/qubes-netvm.service - you can edit the file or
> disable the service.
Is it possible to have something like "ask user" ?
Some times it's not good to have networking, but at the same time I'd
like to start other VMs that have this VM as net VM.
> If you do make sure that you aren't starting any
> other qubes that rely on sys-net. (That would include your clockVM.)
deeper understanding of VM chains?
I mean that some times I would like to override default start
procedure - how can I get this?
Is there any alternative to get into single mode and play with VM prefs?
Why the auto-start preference ingored by boot sequence - because OS
needs a clock VM?
--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/
Reply all
Reply to author
Forward
0 new messages