R3.1 RC1 bug report: DispVM firewall settings are neither independent nor volatile.
39 views
Skip to first unread message
sudod...@gmail.com
Jan 12, 2016, 8:13:43 AM1/12/16
to qubes-users
When I have multiple DispVMs running and change the firewall settings of one, then it affects ALL of them plus the settings of fedora-23-dvm. This makes the changes also persistent.
I guess VM settings should only apply to exactly one VM. And especially for DispVMs they should be as volatile as the DispVM.
Does some config file get symlinked instead of copied when creating a new DVM? I didn't do further research.
Marek Marczykowski-Górecki
Jan 12, 2016, 9:24:17 PM1/12/16
to sudod...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thanks, copied here:
https://github.com/QubesOS/qubes-issues/issues/1608
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWlbVJAAoJENuP0xzK19cs/fYH/j80jPofbO6vcZxgiIAI21bc
LW0gsn9P5vf9cYymNbCk2QIJjhxIjIb5gF2BgF4eqt54tjE9wVaNBepVGCQZ97SD
dNaWQmDXB9STM30xZHS6rLgWz4O+0g+3Nbm2zz9eX34kELOksEVfZ6nuHZwzIis7
sQ9jNO2XE2T7oY+oy160wEcB6H6r2ddsGdwvojOE08ZB5hIfXYhPUQZvEdaXhZYQ
/znqLRCxRYaqVOeCzVDlx660NNSNYvAy/fre8eNZxAjeL21ZLDSPMu1NbLBUTk6J
VRPmdgLq2oBspkvDEokOAEIa1l47F5qHtxB1uIOWJ3rGL/zEMvqJuv+xf2k3XKg=
=Vp2u
-----END PGP SIGNATURE-----
Hash: SHA256
https://github.com/QubesOS/qubes-issues/issues/1608
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWlbVJAAoJENuP0xzK19cs/fYH/j80jPofbO6vcZxgiIAI21bc
LW0gsn9P5vf9cYymNbCk2QIJjhxIjIb5gF2BgF4eqt54tjE9wVaNBepVGCQZ97SD
dNaWQmDXB9STM30xZHS6rLgWz4O+0g+3Nbm2zz9eX34kELOksEVfZ6nuHZwzIis7
sQ9jNO2XE2T7oY+oy160wEcB6H6r2ddsGdwvojOE08ZB5hIfXYhPUQZvEdaXhZYQ
/znqLRCxRYaqVOeCzVDlx660NNSNYvAy/fre8eNZxAjeL21ZLDSPMu1NbLBUTk6J
VRPmdgLq2oBspkvDEokOAEIa1l47F5qHtxB1uIOWJ3rGL/zEMvqJuv+xf2k3XKg=
=Vp2u
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Jan 13, 2016, 6:32:23 PM1/13/16
to sudod...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Wed, Jan 13, 2016 at 03:24:08AM +0100, Marek Marczykowski-Górecki wrote:
> On Tue, Jan 12, 2016 at 05:13:42AM -0800, sudod...@gmail.com wrote:
> > When I have multiple DispVMs running and change the firewall settings of one, then it affects ALL of them plus the settings of fedora-23-dvm. This makes the changes also persistent.
> >
> > I guess VM settings should only apply to exactly one VM. And especially for DispVMs they should be as volatile as the DispVM.
> >
> > Does some config file get symlinked instead of copied when creating a new DVM? I didn't do further research.
> >
>
> Thanks, copied here:
> https://github.com/QubesOS/qubes-issues/issues/1608
Which Qubes version? I can't reproduce it on R3.1.
> On Tue, Jan 12, 2016 at 05:13:42AM -0800, sudod...@gmail.com wrote:
> > When I have multiple DispVMs running and change the firewall settings of one, then it affects ALL of them plus the settings of fedora-23-dvm. This makes the changes also persistent.
> >
> > I guess VM settings should only apply to exactly one VM. And especially for DispVMs they should be as volatile as the DispVM.
> >
> > Does some config file get symlinked instead of copied when creating a new DVM? I didn't do further research.
> >
>
> Thanks, copied here:
> https://github.com/QubesOS/qubes-issues/issues/1608
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
IkSuG0aQpwyNSNZXq/fvGlokfr2Dtfj0UdMLpNjgFvTRB8N3UOigNjSsdtI/VXN2
EbyBApwQ7OjEFDGlwh7KQefn9tsgk3yImmssZtkM9bB5ZWyQ38zKpmLE4GeKjPB4
SOeCDp5nBAImd4UT4NoCi4NBfYOKqJ8vNSI7VqZeJy5JEaAs8BZA6zpdJd2VuZg6
bDP0ahNC9lVm0weTCGMypku7ANU6X1wfkTafLo8rLihx9ibUzTLvUfCkQSHhL3pG
ap1kY6XY7hEF78s1knPsdLZxhsxkCimzymC2+9EvUc1qSmHANO8lBFLm5irKmF8=
=M/or
-----END PGP SIGNATURE-----
sudod...@gmail.com
Jan 14, 2016, 5:52:55 AM1/14/16
to qubes-users, sudod...@gmail.com
Previously I wrote that all other DVMs get 'affected'. I found out, that the actual firewall settings of the other running DVMs do not change. But what changes is the firewall settings displayed in qubes-manager.
This is how I reproduce the bug:
* Use a customized dvm template (fedora-23-dvm)
* Start two DVMs and have a look at their firewall settings in qubes-manager. As expected they look the same as for fedora-23-dvm.
* Now change the firewall settings of a DVM and have a look at fedora-23-dvm firewall settings (or those of the other DVM). If the bug is present on your system then you may see that those settings have been changed too.
* Because fedora-23-dvm settings get changed, the settings persist.
Marek Marczykowski-Górecki
Jan 17, 2016, 7:33:43 PM1/17/16
to sudod...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Thu, Jan 14, 2016 at 02:52:54AM -0800, sudod...@gmail.com wrote:
> Am Donnerstag, 14. Januar 2016 00:32:23 UTC+1 schrieb Marek Marczykowski-Górecki:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On Wed, Jan 13, 2016 at 03:24:08AM +0100, Marek Marczykowski-Górecki wrote:
> > > On Tue, Jan 12, 2016 at 05:13:42AM -0800, sudod...@gmail.com wrote:
> > > > When I have multiple DispVMs running and change the firewall settings of one, then it affects ALL of them plus the settings of fedora-23-dvm. This makes the changes also persistent.
> > > >
> > > > I guess VM settings should only apply to exactly one VM. And especially for DispVMs they should be as volatile as the DispVM.
> > > >
> > > > Does some config file get symlinked instead of copied when creating a new DVM? I didn't do further research.
> > > >
> > >
> > > Thanks, copied here:
> > > https://github.com/QubesOS/qubes-issues/issues/1608
> >
> > Which Qubes version? I can't reproduce it on R3.1.
> >
>
> Am Donnerstag, 14. Januar 2016 00:32:23 UTC+1 schrieb Marek Marczykowski-Górecki:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On Wed, Jan 13, 2016 at 03:24:08AM +0100, Marek Marczykowski-Górecki wrote:
> > > On Tue, Jan 12, 2016 at 05:13:42AM -0800, sudod...@gmail.com wrote:
> > > > When I have multiple DispVMs running and change the firewall settings of one, then it affects ALL of them plus the settings of fedora-23-dvm. This makes the changes also persistent.
> > > >
> > > > I guess VM settings should only apply to exactly one VM. And especially for DispVMs they should be as volatile as the DispVM.
> > > >
> > > > Does some config file get symlinked instead of copied when creating a new DVM? I didn't do further research.
> > > >
> > >
> > > Thanks, copied here:
> > > https://github.com/QubesOS/qubes-issues/issues/1608
> >
> > Which Qubes version? I can't reproduce it on R3.1.
> >
>
> I noticed the problem with R3.1 rc1. Now I updated dom0 and fedora-23 so I guess I'm using R3.1 rc2 (qubes-core-dom0 3.1.10-1, qubes-manager 3.1.3-1). Further I use a customized fedora-23-dvm.
> Previously I wrote that all other DVMs get 'affected'. I found out, that the actual firewall settings of the other running DVMs do not change. But what changes is the firewall settings displayed in qubes-manager.
> This is how I reproduce the bug:
> * Use a customized dvm template (fedora-23-dvm)
Ok, I've missed this part. Indeed if fedora-23-dvm has customized
> Previously I wrote that all other DVMs get 'affected'. I found out, that the actual firewall settings of the other running DVMs do not change. But what changes is the firewall settings displayed in qubes-manager.
> This is how I reproduce the bug:
> * Use a customized dvm template (fedora-23-dvm)
firewall rules, the bug happens. And actually (according to the design)
the problem is somewhere else - firewall rules should be inherited from
calling VM, not fedora-23-dvm. But if the calling VM has no firewall
rules set, indeed rules get inherited from fedora-23-dvm, instead of
having the same, empty rules.
Somehow special case is dom0, because dom0 has no firewall rules, so
there is nothing to inherit from. But in this case, we can use
rules from fedora-23-dvm (and only in this case). And here is the
original bug too...
> * Start two DVMs and have a look at their firewall settings in qubes-manager. As expected they look the same as for fedora-23-dvm.
> * Now change the firewall settings of a DVM and have a look at fedora-23-dvm firewall settings (or those of the other DVM). If the bug is present on your system then you may see that those settings have been changed too.
> * Because fedora-23-dvm settings get changed, the settings persist.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWnDLhAAoJENuP0xzK19cscosH/30TRq3utWk1TZPn05VznH3o
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
/XyB30abU9AzivdYMcTsRoCp2Xfm9ow/k8LWbnNB4h/FVqDnTr8gxJvfnfiiRJik
EvhDLriPKKJmRMuKx6RH2lKd/EuX/nS9NCRxTgpu+h9ohlRfbeB3Hv4tj9KtzYit
/em5vH+tzfhlUzf+plvFBXqUATPD61X90GBZ7Bo8Cpey1wtk9x31mtrom/Ff/xmw
qPB0D5y4ShL7iFlPbk+tQ9gqsiRIcNk+AZw+s0IXaxRv+GoEiV5lR5w6JJj9FdAv
zceDy5Lsbb0bhkQZdumDOexytU1/zCEOj9LRH/0X4G4nmUDxXB0an97yMnlqTDw=
=UyQC
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages