How to install clean template?

[Albin Otterhäll]

How should I go about to install a clean template? When setting up a
template for a specific domain, e.g. software development, it could be
useful to have a clean slate.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

You can simply clone one of the default templates. If you've already
modified the default template you want to use, you can clone it, then
reinstall it from the repo.

Here are the instructions for reinstalling the Whonix templates, but
the same general procedure should apply to all templates:

https://www.qubes-os.org/doc/whonix/reinstall/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXWLYEAAoJENtN07w5UDAwrZ4P/36NNgpos/AHcDC7PxY/03LZ
EBy9s/XVtQaMMoIIgdhlXVR5LnPYc555nS6mJ9aiLynUxbvJ8G2H/BHZgM4a1Buu
qOVKsiXftyziyR7DIiXFPRq9MirNnKKEMZFp3SRnCuFU1LBotmssbV4OTeglOQcY
MWmyoNWW8/uDocOVurGWTxWOUM9BQ4DqzH3GhGZhP9kKRPcsmR3wfx2I3Zn1tKIg
M5IpSgmeJYN/3P+ENfNZVwLym+KaCSkMEn1VpeCwD119gMrsrijE5f+Ve7fQye94
lHkwnoMOaRtxsj9F6asak9ArH0OInvZy92bshKlW0PUq2en7/OqUelcwUqCLztag
A8Ewz6mKwm/E5JGi7gt82dYYbd8eHVMtcbKlp6ODuLZjdQhMkhMTtTOpfEtlsrXS
KFoktUbL7m9U8vj+Yl8gmU5V9Igr0o1Q4JxxNk3Bw223GRcYBhYnFjer46aQp48e
MunlaZMk83y9HVgaOPxnXAJ+UZeINz0Ll1aj3ItgrQuG/5jfG4Pt9ywsNyj4v+VN
9dUuZof1EuST1k0iT0PmXgqQVu8j6Ibyp1HUtvKQlw632cgu6SEskXrVohNEX9dB
Ia2GeDp9Pnro9QDfQOI0m2m+jA/Rx1KPRZAqyjYECnPxW1ogj2pdmfw238H1clP6
oQYOZQz8rYtb0EXUNknV
=z7Wh
-----END PGP SIGNATURE-----

[Albin Otterhäll]

Andrew David Wong:

> You can simply clone one of the default templates. If you've already
> modified the default template you want to use, you can clone it, then
> reinstall it from the repo.

So it isn't possible to install and name the template in the same
command? Little easier and simpler to just do that instead of renaming
templates before and after downloading a new template.

Is it considered god practice to only use copies of the default templates?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-06-09 00:09, Albin Otterhäll wrote:
> Andrew David Wong:
>> You can simply clone one of the default templates. If you've
>> already modified the default template you want to use, you can
>> clone it, then reinstall it from the repo.
>
> So it isn't possible to install and name the template in the same
> command? Little easier and simpler to just do that instead of
> renaming templates before and after downloading a new template.
>

AFAIK, no.

> Is it considered god practice to only use copies of the default
> templates?
>

Yes.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXWUBxAAoJENtN07w5UDAwcXcQAJJR608HBloZdct6mW3RZW0K
pYjJPyY+FPpjGydnULgf8DzoHfjsLpE56kgS9QZUcGQDa7e3Lw6nqq5M4xuUmoh4
e1TJqtu8FLPfX5p1ch/kiMG5Bsf8wiXzZI70J6WNsQQVGwlOwRbH7GkvU+q9Hace
Tr49uwUIrl4Th4kUGmoCVcO+E2iTkl1VxVgXIcRGADzfcoav/XPc6eRGRLF37Wq6
h/xI5ltG+SfbVgdC8CADaarYc6ZrtF4DVvKnL6JZaJ+4IUX0Y8oj1h7eNbU9mGR1
PzajQGhn+QZTt2Hhpuzut7XkFJy74QWhIWrKpL8/TyBJThrNdiNMrrtOQHXQqQSk
mtgIBw7fULHQopSTYswQXpE57ByE3Tgo3r/CduG6gjjm49qbGIaK0cIUkPtvQbqo
PK46E/Amc35/8Pg5PrVfbAkCNh0ID2XHGIy8WdD243DEHZtbHGk1oOUk07HknKXM
tNLitd8yhc5pAm16ybjSn2PVGayMBv7rt2Hwf5xsoPrKRSl7TXiO3GDGnE96XjKf
pt8IWrwk/ipK/JZ9clGbirJqgnSQYzRZU2VOgtPq54dg0FD6QsB6WwNfOfytYWob
zY3DiDAtSelVk3L39j6PhMqXWCc2WgmRMh2+MsVl1BbmU+OLwTVDjDh84BskhkY6
MJeFjIRTkqZQPijUAfw7
=lkCz
-----END PGP SIGNATURE-----

[Achim Patzner]

Am 09.06.2016 um 12:09 schrieb Andrew David Wong:
> On 2016-06-09 00:09, Albin Otterhäll wrote:
> > Is it considered god practice to only use copies of the default
> > templates?
>
> Yes.

There is some grey area around that. Some tools just have to be there
for you to feel well. In my case it's things like "no unix without joe".
On the other hand side there is a lot of stuff I would never haven in
/usr of a "minimally comfortable" baseline installation.

Essence: If you know what you're doing there is nothing wrong with
creating your own templates and use them all over the system. And remove
the templates that came with the installation.


Achim

[J. Eppler]

Hello,

yes, I normally clone one of the default VM's in the Qubes Manager. Which opens a popup dialog to name your cloned template.

For example: fedora-23 -> clone to fedora-23-dev

Afterwards I tweak the templates for my development needs.

For example: Install my IDE, git etc.

At the last step I create new App VM's which are based on my development qube. I name them mostly after the project or programming language.

For example:
java-dev
work-projectname-dev
...

Sometimes it is better to create a standalone VM for development.

Best regards
  J. Eppler

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I think he meant copies of the RPM-managed templates as opposed to the
RPM-managed templates themselves, not "default" templates in the sense
of not installing any custom packages.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXWcYAAAoJENtN07w5UDAwkGkQALSjuDkdfjl5YMdfRZj7qCc8
1kBH6IGtJPwwmtzUI6pQ1U8sAH/JmfMsuK6DmWHs5SdDCA1cV5l4AuTdYSbFpwED
wrElSkkrrR93fkD0DBbah1sErux5PFY9nLA1/HVmE90f4T+Oq5rVF+Gi1FXCAfuL
ZtXA+ytOxSQQLU8rXMra5Q1A2e1qvMjsao5RS/wOn+lYWCKkO/GjK3ERqdjXCfwg
f1D6B1oJYbKJhRHv0on7wPwQGOejlcceZhYHYFOQp5mdoLX9Oh72rCKDrSiNEOO2
pbH/E2r6LwYJD21U5sbO8Xwmf8UzsEbLLEBgrgMfFpNeUxYE0z5eP7r7jL91TJdA
abHKVbGGzibhsjMlmzbP9aNHYyOtwZxCcdN/xYvz5rZr7HotHSo3EOeptwWdAsyD
tudA1uLq9o6rfkoPzXNswyWfDQl0gwxGFiGWGCbT4STs8siXYHhIFf9K67LMNNDG
1txQfg+ruoSUCUeXEmI7HAIop7qm7vaY+qnjFROUWfNtBvB9EjtMUKigXI70Yyj7
r5TiRB7h4nQ95thHl7bPMs9GGar9V/SP0ShGxAeytyp+uu92Uvs/TNm+B1vuDrlt
skVce0W7mszdqeeQO/D/8tMDin5qixApFZT+0QLGc/DugKWxNmZSmLy4kt/yV3fy
Ay3q4LdZIw2jvd8/N6iK
=2MBn
-----END PGP SIGNATURE-----

[J. Eppler]

Hello Andrew,

maybe I did not understand his question right.

Best regards
  J. Eppler

[james....@gmail.com]

Andrew,

I have a different problem. I've cloned fedora-23 and I need to install a bunch of software from my employer over their VPN using a script that does
"dnf install http://site.on.vpn/employer.rpm"

I've managed to get the VPN up and running in the template, but the dnf installs are timing out. wgets also time out. Any ideas?

I have no problem installing software in a VM based on the template, but I need the software installed in the template the VM is based on so I don't have to reinstall it every reboot.

Thanks in advance,

James

[Ben Wika]

I think you just have to tell the vm firewall settings to allow access for 10 minutes or whatever

[Ward... James Ward]

I have even bypassed the firewall. I've got the VPN ProxyVM pointing directly at NetVM.

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/4i_tTj1rN0g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f4e5ad7a-6faa-4c4a-8185-75cb2754b86f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chris Laprise]

On 06/22/2016 08:45 PM, Ward... James Ward wrote:
> I have even bypassed the firewall. I've got the VPN ProxyVM pointing
> directly at NetVM.
>

That doesn't bypass the firewall exactly. The vpn vm is also a firewall,
and it accepts the firewall settings of other vms that are pointing to
it. So you would have to 'allow full access' from the template's
firewall settings.

Chris

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Yes, Chris is right. Make sure your VPN ProxyVM is set as your
TemplateVM's NetVM, then try using the "allow full access for N
minutes" option.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXa4m6AAoJENtN07w5UDAwMaIP/2CFulCr86nj9QPOeMBSeMlc
p075EnYJO14WNLWCy2yz3gk5XoAwpyVpSnENmauF3LBZspk5ytm2cChTQGWQApSt
vALACA+RVyxUC29f3ifucahvKOnCHllEdJVqVEPuPyTUzdNLUeyV/TgJG5UglDrw
zwej85Q6dxe39KKguNhUmRh+uVqIlSgl4N1Fr3Q2xnRNKrUCjjykOHliRRgAkNrW
vPiGyJjHgh3uOQE+29Id0xceLJ5jIvVYAIrAE+IBx0eQK82OGjAhRQeEuP+irPMY
ie2AM7XRdvNM7aMNAbCmZG744xbBHrpTpf7ic2KwxJwVW4D3miSaf2p6sgKNCPAm
G1yofnpWXhtgx0kmiZ2ASlS5NHCpUh3y5LQHvy302FwlokJRgTwBm4bKBNmmSEUB
CHguBr/YAhKD6vqMWTYuMcUDZcXIAjkpa+vnbOaXE+3FMP78c7yeha/jrfijUzw4
DBVOPQP9vGfdwVqtdIEFxZx0hXtPk2H76JgWX5tchcoIk3EbwEVMrs8sP7ze5Yg1
t4B3ZoxC3BlJ4RsEmR9yznFHkSGWIdb1VjpzFRLv6/1BPjM+wd5CvC1KYUE8u3DW
bgS9uS+t7DLQ4bJ9VHdpxX7kwVmAbfa32C1RNaVH0TjTjUa3VQFIpAbOsYV/foKd
kW9sCqlvbK2nJ2/kWo7r
=6FUO
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-06-23 00:08, Ben Wika wrote:
> I do like the idea of being able to instantly rename (or clone) a
> freshly downloaded vm so as to encourage the supposedly good
> practice of never modifying or working with the raw template. In
> fact I'd rather the raw templates themselves didn't even show up
> in the vm manager so you could always count on cloning them again
> without having to re-download. On 23 Jun 2016 5:03 PM, "Andrew
> David Wong" <a...@qubes-os.org> wrote:
>

That might not work as a default option, since some users may be short
on disk space or may (for one reason or another) want to modify the
RPM templates, but it wouldn't hurt to have the option to hide them.
(More generally, there could be an option to hide any arbitrary,
user-selected VMs.)

Added as a comment here:

https://github.com/QubesOS/qubes-issues/issues/1870#issuecomment-
227969153


P.S. - Please keep the list CCed, and avoid top posting.

> On 2016-06-22 18:17, Chris Laprise wrote:
>>>>
>>>>
>>>> On 06/22/2016 08:45 PM, Ward... James Ward wrote:
>>>>> I have even bypassed the firewall. I've got the VPN ProxyVM
>>>>> pointing directly at NetVM.
>>>>>
>>>>
>>>> That doesn't bypass the firewall exactly. The vpn vm is also
>>>> a firewall, and it accepts the firewall settings of other
>>>> vms that are pointing to it. So you would have to 'allow
>>>> full access' from the template's firewall settings.
>>>>
>>>> Chris
>>>>
>
> Yes, Chris is right. Make sure your VPN ProxyVM is set as your
> TemplateVM's NetVM, then try using the "allow full access for N
> minutes" option.
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXa4y2AAoJENtN07w5UDAwqCQP/3hot+uhUoiKGeneoo7+NLpY
Ba/Xau+rLx1xXJRG5520zzXL72Nw8sQ1zZ1cQ0HwR9CEvEmpOIYjrnS+GLsPOnds
6NllgHuNzGS8o0cDHZVFfXPxEZkFRIo1cZdnKla6ujpZu1eTBgAgDWC5NEZeHx/O
XSz6+6Q94YGUJIlKBflS+6Yaxt9vKiP9Qzr8KZcxGyP3TN+6rxcZE132k4/pOZ2p
7XurKmpSLqCSC4gX9oUi5tVCY7D5tXuMZP2IdAewzDajKY+mbff6AkdW3mnqA5vN
9NCt086QA6x4iCZFjJYhfK4FCPpOP+XevS1qMlDgAWFXtRRXP8SpwXHC0dApfC4c
+xcSMW09S+0M23JC37wGhGzOtY1q5GYzfMJ3vpSJFkoLd+JPb4hNV9bJE9Oad+Rx
0kEuplHDpYKAUVKy6FklVURXf9qqyqz33mEheZkYJZuEGFjTdkT67nqZw8SlGK29
d30T/yTUqT7ILhrCvHvOKC/ezZM23XU4N94VNdSLViysuZLXa7FKTaVmkwG60Ztx
nGu+Dlz7ePNzLVqLIdNfnWPoHFR15t+6IjXz8UZ3572BFhsn1/4wQoyUzqG5aEai
CDT304HDdtBta3601bqAxmVbvxY/e6WeZ2Rf3EbkztO+wcdwtk82ETXv+J/N5kl5
xQggYp3dZY+bReCmXvSQ
=5Ni8
-----END PGP SIGNATURE-----

[Ward... James Ward]

Yeah, I tried that. Template still times out where a VM based on the template doesn't need any firewall modifications to install the firewall.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-06-23 03:40, Ward... James Ward wrote:
> Yeah, I tried that. Template still times out where a VM based on
> the template doesn't need any firewall modifications to install
> the firewall.
>

That's very strange. If you've set things up correctly, there
shouldn't be any restrictions on your network access from the
TemplateVM.

Are the "Allow ICMP traffic" and "Allow DNS queries" boxes checked?


P.S. - Please don't top post.

> On Thu, Jun 23, 2016 at 12:03 AM Andrew David Wong
> <a...@qubes-os.org> wrote:
>
> On 2016-06-22 18:17, Chris Laprise wrote:
>>>>
>>>>
>>>> On 06/22/2016 08:45 PM, Ward... James Ward wrote:
>>>>> I have even bypassed the firewall. I've got the VPN ProxyVM
>>>>> pointing directly at NetVM.
>>>>>
>>>>
>>>> That doesn't bypass the firewall exactly. The vpn vm is also
>>>> a firewall, and it accepts the firewall settings of other
>>>> vms that are pointing to it. So you would have to 'allow
>>>> full access' from the template's firewall settings.
>>>>
>>>> Chris
>>>>
>
> Yes, Chris is right. Make sure your VPN ProxyVM is set as your
> TemplateVM's NetVM, then try using the "allow full access for N
> minutes" option.
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXa78EAAoJENtN07w5UDAwHuwP/3D9vwS4HwyoJ7dapxv/izaJ
3UeKF1D0g5A7uSZnpYzC16pz6pWyB2VYGbXjUznfFkUFkDcBUMdleDJOPiLSpRpj
tbEXJr3f0qD054HUdX713aYDA3CaojOqhOACKIFophQxZ9Bcw8ISFmF8YhKOHM57
gEwFSX5xqR1x/4GJ+0eCSvmcZcusDDACY6zeiCiGRfY1vaTBVGADyOATRe9x4Itg
kbHOPG3w8fZgt48pWJhhwrbFlyD872EVDbmNttS9St7vinEHdU3OsBaiMyH0R/Qc
l5oTEv63PhMgEWU+mXg8MVqMUjHExkWE+Ki3ERn4bFVGAwRQXzCLKedXH48DWZFB
dLIEuQrCLzlKZofI5MRN4h+ap0eGvqWtRv+zDF7BC4RvyPyZKyXbqXwc5J0O1F/Z
/90SxC9T5VbZraxWvaqy2SrhQTuIDm6BaOcFtNK8JJRteBfwwlTHVwfW6z0vv8eb
b4m9yqeypIIu12rvz2Mfz+iTynW73zctc62aZ1q7yfaTmMRP7Qs+yKJF/U9ZjfsS
s8Jde9Rb1QkK7AuybypeGdoly12Hvq1t8Bw2Rsd5h5w8kS3M6OLToIevfgkiU3zN
wwAdvoNb34Lcm2UuvDKy1tweIPai8581ymQYT6milH4kCPc2OUwCsk2g5JtT/HOr
JyW9lUgiUGYSjpgGOsw4
=dyKt
-----END PGP SIGNATURE-----

[Chris Laprise]

Continuing this in James' original thread...
https://groups.google.com/d/msgid/qubes-users/fbc140cc-94e4-4218-8095-3a73d346296f%40googlegroups.com

Chris