TemplateVM Best-Practices?
117 views
Skip to first unread message
Loren Rogers
Nov 30, 2016, 8:59:58 AM11/30/16
to qubes-users
Hi all,
Are there any recommended strategies for creating and managing
TemplateVMs for regular users?
I use Qubes as my daily computer for regular tasks, and I'm wondering
how I can better manage my installations. For example, I currently have
one TemplateVM that I install everything into. (It's a clone of the
default, which is still used for system stuff.) It seems to me like this
isn't great practice - is there a better way? Or is this totally fine?
Thanks
Are there any recommended strategies for creating and managing
TemplateVMs for regular users?
I use Qubes as my daily computer for regular tasks, and I'm wondering
how I can better manage my installations. For example, I currently have
one TemplateVM that I install everything into. (It's a clone of the
default, which is still used for system stuff.) It seems to me like this
isn't great practice - is there a better way? Or is this totally fine?
Thanks
Daniel Moerner
Nov 30, 2016, 9:14:28 AM11/30/16
to qubes-users, lo...@lorentrogers.com
On Wednesday, November 30, 2016 at 8:59:58 AM UTC-5, Loren Rogers wrote:
> Hi all,
>
> Are there any recommended strategies for creating and managing
> TemplateVMs for regular users?
> Hi all,
>
> Are there any recommended strategies for creating and managing
> TemplateVMs for regular users?
Speaking personally, I use four templates: (based on Debian 9)
base: For sys-*, vault, gpg, shopping, banking, etc.
office: Libreoffice, thunderbird extensions, latex. For work and personal VMs.
dev: Developer tools, compilers, etc. For dev VMs.
untrusted: Media software (vlc, etc.) as well as Chrome.
This lets me keep the individual templates to a more manageable size and prevents me from accidentally mixing up my workflow across VMs.
I would be open to using a more stripped-down base template but I'm not convinced it's worth it.
Loren Rogers
Nov 30, 2016, 7:03:06 PM11/30/16
to Daniel Moerner, qubes-users
a similar setup a try.
Zrubi
Dec 1, 2016, 3:48:34 AM12/1/16
to Loren Rogers, qubes-users
On 11/30/2016 02:59 PM, Loren Rogers wrote:
> Hi all,
>
> Are there any recommended strategies for creating and managing
> TemplateVMs for regular users?
>
I'm having those templates:
> Hi all,
>
> Are there any recommended strategies for creating and managing
> TemplateVMs for regular users?
>
netVMs, Proxym Firewall, VPN: fedora minimal based
regular AppVMs: Fedora, stuffed with all the apps I ever needed.
Devel VMs : Fedora, with development focused things.
Work : Fedora with work related apps.
Still thinking of merging the Devel one with my regular template because
of the update overhead.
--
Zrubi
Chris Laprise
Dec 1, 2016, 4:29:17 PM12/1/16
to Loren Rogers, Daniel Moerner, qubes-users
I don't think its wrong to add lots of software to a 'general appVM use'
template as long as the new programs are not network-facing *services*
(as opposed to network clients).
This touches on the Qubes idea that users should compartmentalize. 'How'
we should do it is left to us to decide, however the default Qubes
config including VMs for work, personal, etc. suggests we can
comfortably segregate by role; We don't have to do it app-by-app they
way some people suggest and that would drive a lot of people crazy.
Implied in role-based compartmentalization is that each role will need a
lot of common apps working in concert.
Exceptions to this routine may emerge out of necessity. For example, it
generally isn't a good idea to add new software to Whonix templates.
Some also feel that service VMs like sys-net and sys-firewall should be
run with a minimal template without regular apps present... this makes
them more like router installations and theoretically more secure.
Chris
Chris Laprise
Dec 1, 2016, 4:32:35 PM12/1/16
to Zrubi, Loren Rogers, qubes-users
compilers in systems that are meant for non-development use. If I were
to merge any of those categories you listed, it would be Work and Regular.
Chris
Eva Star
Dec 2, 2016, 6:18:33 AM12/2/16
to qubes...@googlegroups.com
On 12/02/2016 12:29 AM, Chris Laprise wrote:
> Exceptions to this routine may emerge out of necessity. For example, it
> generally isn't a good idea to add new software to Whonix templates.
> Some also feel that service VMs like sys-net and sys-firewall should be
> run with a minimal template without regular apps present... this makes
> them more like router installations and theoretically more secure.
Is there other advantages of using minimal template for sys-net etc. ?
> Exceptions to this routine may emerge out of necessity. For example, it
> generally isn't a good idea to add new software to Whonix templates.
> Some also feel that service VMs like sys-net and sys-firewall should be
> run with a minimal template without regular apps present... this makes
> them more like router installations and theoretically more secure.
Maybe fast boot? Less memory usage?
What size of minimal template?
--
Regards
Zrubi
Dec 2, 2016, 1:11:03 PM12/2/16
to Chris Laprise, qubes-users
On 12/01/2016 10:32 PM, Chris Laprise wrote:
> One precaution I usually follow is not putting development tools like
> compilers in systems that are meant for non-development use.
That is the reason it is separated right now :)
> One precaution I usually follow is not putting development tools like
> compilers in systems that are meant for non-development use.
But in case of the actual Devel AppVM is network enabled (it is in my
case) so an attacker free to download any shit - including the missing
compilers. So it is only a very thin layer of added security - if any.
In contrast I have a huge the upgrade and backup overhead.
> If I were to merge any of those categories you listed, it would be Work and Regular.
internal use, coming from an internal repo. So it is no way to mix with
any of my other templates.
--
Zrubi
Reply all
Reply to author
Forward
0 new messages