Debian minimal template?
406 views
Skip to first unread message
Qubed One
Aug 26, 2015, 1:50:26 PM8/26/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi, just curious if anyone has any plans for a Debian-minimal template
for Qubes R3 (ITL or community-maintained)?
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJV3fxxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2N0FGNkY4NTIxMzYxNjI1REE1MjY1QTcw
MUNBRjYzOTFBQkM0OTgzAAoJEAHK9jkavEmDO7UQALlKpurmpJK4WH//B0JDHR4M
2/pXj8CZuj7js3D7JTxsjFQWQk7hzZMiLN7Y+1ABc7dtYv9pwK2wMwJDKLbiQ6Hy
ccQgNkjVx8b6Qqe8UXGtYrNTWtcTSUBLdt92FEtSX7c+GFhLfGwld7IY5amfPhX3
XD8nCOiqMibMfLOaFNfEMbyPUzOUHfyOOzoYy8NNTXUaXT7ogi19IFZLmTrbc+bM
PJTiqzI4ZRIxyQnhDmeBLscE8N4xNT3OECaf+CsWu/NPIgS9Fgv9q+Axom8y45qd
D86Ib7PA9MmbTum3z4KKv68l6AFVRon604HaRCa+8+tFHdR8KWLRJNYfMOgjGKty
CbIaUQjxTg+YyCVQOKJVhbvDU//Je5X4Q/xtlBH0EIA1BhPVst3JycwXGJMNspXk
w8AaF1Ijcz63lgCTvZBCemc1gW7St5Slem2HLq6fVLs6hJrZG/eENBOEMNAob3Fc
zPxCqrlXtrHDyTwPx++PlWO5O5nT4V5b5b7Z2WiSjBUK651wiD4aoD3rQ6TvDJKe
V7RKTdsYN0bXIbpG8dGA/Md0d5hvI6sPtvHbMRZRSEgEbUTUF1BEfSppcKEx4iPg
mCNfWRJ1djvVrEHB8bH25vSFDQupeYb94biY4RcPEOhtIBp2igL6KKa2lOCQ8lCT
3qofLuLFNMeDczhkmNXQ
=2LlC
-----END PGP SIGNATURE-----
Hash: SHA512
Hi, just curious if anyone has any plans for a Debian-minimal template
for Qubes R3 (ITL or community-maintained)?
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJV3fxxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2N0FGNkY4NTIxMzYxNjI1REE1MjY1QTcw
MUNBRjYzOTFBQkM0OTgzAAoJEAHK9jkavEmDO7UQALlKpurmpJK4WH//B0JDHR4M
2/pXj8CZuj7js3D7JTxsjFQWQk7hzZMiLN7Y+1ABc7dtYv9pwK2wMwJDKLbiQ6Hy
ccQgNkjVx8b6Qqe8UXGtYrNTWtcTSUBLdt92FEtSX7c+GFhLfGwld7IY5amfPhX3
XD8nCOiqMibMfLOaFNfEMbyPUzOUHfyOOzoYy8NNTXUaXT7ogi19IFZLmTrbc+bM
PJTiqzI4ZRIxyQnhDmeBLscE8N4xNT3OECaf+CsWu/NPIgS9Fgv9q+Axom8y45qd
D86Ib7PA9MmbTum3z4KKv68l6AFVRon604HaRCa+8+tFHdR8KWLRJNYfMOgjGKty
CbIaUQjxTg+YyCVQOKJVhbvDU//Je5X4Q/xtlBH0EIA1BhPVst3JycwXGJMNspXk
w8AaF1Ijcz63lgCTvZBCemc1gW7St5Slem2HLq6fVLs6hJrZG/eENBOEMNAob3Fc
zPxCqrlXtrHDyTwPx++PlWO5O5nT4V5b5b7Z2WiSjBUK651wiD4aoD3rQ6TvDJKe
V7RKTdsYN0bXIbpG8dGA/Md0d5hvI6sPtvHbMRZRSEgEbUTUF1BEfSppcKEx4iPg
mCNfWRJ1djvVrEHB8bH25vSFDQupeYb94biY4RcPEOhtIBp2igL6KKa2lOCQ8lCT
3qofLuLFNMeDczhkmNXQ
=2LlC
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Aug 26, 2015, 4:04:29 PM8/26/15
to Qubed One, Jason M, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Aug 26, 2015 at 05:50:41PM +0000, Qubed One wrote:
> Hi, just curious if anyone has any plans for a Debian-minimal template
> for Qubes R3 (ITL or community-maintained)?
Jason, does the minimal template flavor (which exists in configuration)
is usable in the current state? Could you provide short description what
functionality is there (like working as NetVM etc) and what requires
additional packages. Something like the same for Fedora minimal:
http://www.qubes-os.org/doc/Templates/FedoraMinimal/
Then I could simply build and upload the package.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJV3hvHAAoJENuP0xzK19cshFAH/1uTmj8TTboviPMS6Io9BjJt
QuzjDdOgolz5W4jX+j6k5NTKaM+o2eIufrRp3sEUhCcNN2cxzopfXxPmH3hVKSEh
olCrnCwBME+5+zv8O8O6glJsni730MxRCMAGZTDRS0sgQhjkbWXah1rWb+AaGz2H
ru2LqI3Bv9F1KLi6GfcJMLsv526pysH8OCV2cG0LG3+WMrur8MEk1nQ4dlbKxLs+
Jgag0u0Vmwam4+edY7AJIsrdvpqh1emdGPRQX+uf+6HcfhkHyCFZme3qlOsyBW2N
jNBdQ5/GOCBo/LAV0H4CncK0CxhwT3D9iH3LXeJeUqRgiwC9Am2xSj317PnmPzg=
=kVfO
-----END PGP SIGNATURE-----
Hash: SHA256
On Wed, Aug 26, 2015 at 05:50:41PM +0000, Qubed One wrote:
> Hi, just curious if anyone has any plans for a Debian-minimal template
> for Qubes R3 (ITL or community-maintained)?
is usable in the current state? Could you provide short description what
functionality is there (like working as NetVM etc) and what requires
additional packages. Something like the same for Fedora minimal:
http://www.qubes-os.org/doc/Templates/FedoraMinimal/
Then I could simply build and upload the package.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJV3hvHAAoJENuP0xzK19cshFAH/1uTmj8TTboviPMS6Io9BjJt
QuzjDdOgolz5W4jX+j6k5NTKaM+o2eIufrRp3sEUhCcNN2cxzopfXxPmH3hVKSEh
olCrnCwBME+5+zv8O8O6glJsni730MxRCMAGZTDRS0sgQhjkbWXah1rWb+AaGz2H
ru2LqI3Bv9F1KLi6GfcJMLsv526pysH8OCV2cG0LG3+WMrur8MEk1nQ4dlbKxLs+
Jgag0u0Vmwam4+edY7AJIsrdvpqh1emdGPRQX+uf+6HcfhkHyCFZme3qlOsyBW2N
jNBdQ5/GOCBo/LAV0H4CncK0CxhwT3D9iH3LXeJeUqRgiwC9Am2xSj317PnmPzg=
=kVfO
-----END PGP SIGNATURE-----
nrgaway
Aug 26, 2015, 8:38:49 PM8/26/15
to Marek Marczykowski-Górecki, Qubed One, qubes...@googlegroups.com
On 26 August 2015 at 16:04, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Aug 26, 2015 at 05:50:41PM +0000, Qubed One wrote:
> Hi, just curious if anyone has any plans for a Debian-minimal template
> for Qubes R3 (ITL or community-maintained)?
Jason, does the minimal template flavor (which exists in configuration)
is usable in the current state? Could you provide short description what
functionality is there (like working as NetVM etc) and what requires
additional packages. Something like the same for Fedora minimal:
http://www.qubes-os.org/doc/Templates/FedoraMinimal/
Then I could simply build and upload the package.
I will document this for you. I do not use minimal template since it's not that much smaller than the regular one so I will need to test it all out again.
cprise
Aug 27, 2015, 1:19:36 AM8/27/15
to nrgaway, Marek Marczykowski-Górecki, Qubed One, qubes...@googlegroups.com
On 08/26/2015 08:38 PM, nrgaway wrote:
> On 26 August 2015 at 16:04, Marek Marczykowski-Górecki
> <marm...@invisiblethingslab.com
> On 26 August 2015 at 16:04, Marek Marczykowski-Górecki
> <marm...@invisiblethingslab.com
Then it would be good to make the Debian template selections similar to
Fedora, with the supplied 'regular' Debian template having desktop
features and apps. This would allow a user preferring Debian over Fedora
to use their system as a desktop immediately instead of going through
manual steps.
Vít Šesták
Sep 22, 2015, 3:21:16 PM9/22/15
to qubes-users, nrg...@gmail.com, marm...@invisiblethingslab.com, qube...@riseup.net
I have created something like "minimal" Debian TemplateVM by removing (almost) all needless things. I can share the list of packages (e.g. output of apt-mark showmanual) if someone is interested.
The sparse root.img has just 1.2GiB. OK, I admit it is not as minimal as Fedora.
Regards,
Vít Šesták 'v6ak'
The sparse root.img has just 1.2GiB. OK, I admit it is not as minimal as Fedora.
Regards,
Vít Šesták 'v6ak'
Axon
Sep 22, 2015, 3:37:59 PM9/22/15
to qubes-users, nrg...@gmail.com, marm...@invisiblethingslab.com, qube...@riseup.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Vít Šesták:
a normal yum update (without installing any new packages), and of
course it's almost always a good idea to update the software before
using the template for anything important.
> Regards, Vít Šesták 'v6ak'
>
> On Thursday, August 27, 2015 at 7:19:36 AM UTC+2, cprise wrote:
>>
>> On 08/26/2015 08:38 PM, nrgaway wrote:
>>> On 26 August 2015 at 16:04, Marek Marczykowski-Górecki
>>> <marm...@invisiblethingslab.com <javascript:>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWAa3+AAoJEJh4Btx1RPV8OGMQAOb/QipOtiPaBLpccTZaZsr5
yxfYrwjfFzpkLNhNU8ta0ClWl9MkoLp/tgUiAEfTC8c/DxA65UXGakKvmZrY4bfZ
WiEuL1Y5lGcJraABrdC+ehTl7Fd/jRufnuyQE5d9UWleu5VBHfvGvBKMn6wwZmwN
kXT1nfh5+SKHb3QaFMXz8l4pkLbQSy52TfscvgYPapDWuoM6JoQwOwQbtkdPOmxh
m1sLgj7I8zq7yT6OEgS5+gJO1qrtbfFNafaEuyaYeWep1zoMRLYhgr2HSWWCeCEi
5bkKoWoIqvZVjMvhzM7vM2PMiPFHzQ4xvOtHY0v0+j2QZjhuhA9LvcjUZMDAH8rY
i+ZONMjxqWGrd4VH3kQsqb8YESl1reQXIlMgro4KTr5y3Y2lvNbsPjdNiiyWLgpZ
1JM6aa4uCMLTviNiSFz++i2o40uPJXRwjOcB8hE8Kz/g17W+IpP6QEDbYUdJwG8U
1lyBnSF/ShARCthbJSzgoXvmZbZ0DuNE1j3MK/NSuE3QXIgnTrUqtJM8IfcfaPX+
4jF7cNdtDJcq4gn25rGVUR3jMTfFqX/n3dtNnjcIX4d/VG799rvj8n71ghxEamDQ
iavGE3q3JaH1Hq+9P4koKJhoR/8wefMFkZnwTacg44ZpiVzxj7XvhTQg0kIVbkFy
DudC0rAk6dy5lUdAoyWI
=wiQV
-----END PGP SIGNATURE-----
Hash: SHA512
Vít Šesták:
> I have created something like "minimal" Debian TemplateVM by
> removing (almost) all needless things. I can share the list of
> packages (e.g. output of apt-mark showmanual) if someone is
> interested.
>
> The sparse root.img has just 1.2GiB. OK, I admit it is not as
> minimal as Fedora.
>
To be fair, fedora-21-minimal is actually larger than that after doing
> removing (almost) all needless things. I can share the list of
> packages (e.g. output of apt-mark showmanual) if someone is
> interested.
>
> The sparse root.img has just 1.2GiB. OK, I admit it is not as
> minimal as Fedora.
>
a normal yum update (without installing any new packages), and of
course it's almost always a good idea to update the software before
using the template for anything important.
> Regards, Vít Šesták 'v6ak'
>
> On Thursday, August 27, 2015 at 7:19:36 AM UTC+2, cprise wrote:
>>
>> On 08/26/2015 08:38 PM, nrgaway wrote:
>>> On 26 August 2015 at 16:04, Marek Marczykowski-Górecki
iQIcBAEBCgAGBQJWAa3+AAoJEJh4Btx1RPV8OGMQAOb/QipOtiPaBLpccTZaZsr5
yxfYrwjfFzpkLNhNU8ta0ClWl9MkoLp/tgUiAEfTC8c/DxA65UXGakKvmZrY4bfZ
WiEuL1Y5lGcJraABrdC+ehTl7Fd/jRufnuyQE5d9UWleu5VBHfvGvBKMn6wwZmwN
kXT1nfh5+SKHb3QaFMXz8l4pkLbQSy52TfscvgYPapDWuoM6JoQwOwQbtkdPOmxh
m1sLgj7I8zq7yT6OEgS5+gJO1qrtbfFNafaEuyaYeWep1zoMRLYhgr2HSWWCeCEi
5bkKoWoIqvZVjMvhzM7vM2PMiPFHzQ4xvOtHY0v0+j2QZjhuhA9LvcjUZMDAH8rY
i+ZONMjxqWGrd4VH3kQsqb8YESl1reQXIlMgro4KTr5y3Y2lvNbsPjdNiiyWLgpZ
1JM6aa4uCMLTviNiSFz++i2o40uPJXRwjOcB8hE8Kz/g17W+IpP6QEDbYUdJwG8U
1lyBnSF/ShARCthbJSzgoXvmZbZ0DuNE1j3MK/NSuE3QXIgnTrUqtJM8IfcfaPX+
4jF7cNdtDJcq4gn25rGVUR3jMTfFqX/n3dtNnjcIX4d/VG799rvj8n71ghxEamDQ
iavGE3q3JaH1Hq+9P4koKJhoR/8wefMFkZnwTacg44ZpiVzxj7XvhTQg0kIVbkFy
DudC0rAk6dy5lUdAoyWI
=wiQV
-----END PGP SIGNATURE-----
Unman
Sep 22, 2015, 9:20:00 PM9/22/15
to Axon, qubes-users, nrg...@gmail.com, marm...@invisiblethingslab.com, qube...@riseup.net
On Tue, Sep 22, 2015 at 07:37:37PM +0000, Axon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> -----BEGIN PGP SIGNED MESSAGE-----
>
> V??t ??est??k:
> > I have created something like "minimal" Debian TemplateVM by
> > removing (almost) all needless things. I can share the list of
> > packages (e.g. output of apt-mark showmanual) if someone is
> > interested.
> >
> > The sparse root.img has just 1.2GiB. OK, I admit it is not as
> > minimal as Fedora.
> >
>
> To be fair, fedora-21-minimal is actually larger than that after doing
> a normal yum update (without installing any new packages), and of
> course it's almost always a good idea to update the software before
> using the template for anything important.
>
> > Regards, V??t ??est??k 'v6ak'
> > removing (almost) all needless things. I can share the list of
> > packages (e.g. output of apt-mark showmanual) if someone is
> > interested.
> >
> > The sparse root.img has just 1.2GiB. OK, I admit it is not as
> > minimal as Fedora.
> >
>
> To be fair, fedora-21-minimal is actually larger than that after doing
> a normal yum update (without installing any new packages), and of
> course it's almost always a good idea to update the software before
> using the template for anything important.
>
> >
> > On Thursday, August 27, 2015 at 7:19:36 AM UTC+2, cprise wrote:
> >>
> >> On 08/26/2015 08:38 PM, nrgaway wrote:
> >>> On 26 August 2015 at 16:04, Marek Marczykowski-G??recki
> > On Thursday, August 27, 2015 at 7:19:36 AM UTC+2, cprise wrote:
> >>
> >> On 08/26/2015 08:38 PM, nrgaway wrote:
I use it for most VMs - it is perfectly usable as is.
Jason - are you doing that write up or do you want me to pick it up?
nrgaway
Sep 23, 2015, 5:15:42 PM9/23/15
to Unman, Axon, qubes-users, Marek Marczykowski-Górecki, Qubed One
I am currently finishing up on a salt management project which is due to be complete by end of month. If you have time to do that before then, that would be great, otherwise I will be able to complete it at that point :)
Ben Wika
Jun 19, 2016, 10:39:46 PM6/19/16
to qubes-users, un...@thirdeyesecurity.org, ax...@openmailbox.org, marm...@invisiblethingslab.com, qube...@riseup.net
Hi,
Not sure what's been happening on this subject since September (maybe discussion has moved?) but thought I'd make a contribution. Pretty new to some of this so appreciate the feedback.
If we install the base qubes template for Debian-8, and then do:
Then we end up with a file in the home directory that lists all installed packages.
I can use "apt-mark auto" against all these items to clear out the list, but before doing the autoremove, there's obviously some that have to remain.
To not 'break' the template completely, I'm finding that qubes-gui-agent is the only one that needs to be set to manual.
But for good measure I follow it up with the following apps which I know I'll be leaving in the minimal template:
sudo apt-get install firefox-esr lxterminal leafpad xfe
Finally we do the autoremove step and end up saving about 100MB. Not alot, but I'm more focused on simply reducing the attack surface.
Having done this, all seems to work fine but I imagine some features are missing behind the scenes (particularly qubes features).
So I appreciate any further recommendations or suggestions as to why debian minimal has to be any more complicated than what I've stated.
Regards
Ben
Not sure what's been happening on this subject since September (maybe discussion has moved?) but thought I'd make a contribution. Pretty new to some of this so appreciate the feedback.
If we install the base qubes template for Debian-8, and then do:
dpkg-query -f '${binary:Package} ' -W >> ~/inst(refer https://wiki.debian.org/ListInstalledPackages )Then we end up with a file in the home directory that lists all installed packages.
I can use "apt-mark auto" against all these items to clear out the list, but before doing the autoremove, there's obviously some that have to remain.
To not 'break' the template completely, I'm finding that qubes-gui-agent is the only one that needs to be set to manual.
But for good measure I follow it up with the following apps which I know I'll be leaving in the minimal template:
sudo apt-get install firefox-esr lxterminal leafpad xfe
Finally we do the autoremove step and end up saving about 100MB. Not alot, but I'm more focused on simply reducing the attack surface.
Having done this, all seems to work fine but I imagine some features are missing behind the scenes (particularly qubes features).
So I appreciate any further recommendations or suggestions as to why debian minimal has to be any more complicated than what I've stated.
Regards
Ben
Unman
Jun 20, 2016, 8:06:50 PM6/20/16
to Ben Wika, qubes-users, ax...@openmailbox.org, marm...@invisiblethingslab.com, qube...@riseup.net
There's already a minimal template which you can build - it would be
somewhat smaller than you've got to, although you haven't said what your
final size is.
I use a debian mini for most of the system qubes, including tor and usb.
A slightly larger one for sys-net. My guess is that most people
wont want the hassle of configuring and installing packages required
so using a default template is probably best for most users sys-net.
Look back over the thread and compare what you have against the minimal
package list.
I think there should be an official debian minimal template but it's just
got lost along the way, I think.
cheers
unman
Ben Wika
Jun 21, 2016, 4:18:42 AM6/21/16
to qubes-users, drink...@gmail.com, ax...@openmailbox.org, marm...@invisiblethingslab.com, qube...@riseup.net, un...@thirdeyesecurity.org
Perhaps I'm blind but I'm not seeing any mini package list in this thread. Only a discussion about who was going to post one.
Ben Wika
Jul 13, 2016, 9:20:53 PM7/13/16
to qubes-users, drink...@gmail.com, ax...@openmailbox.org, marm...@invisiblethingslab.com, qube...@riseup.net, un...@thirdeyesecurity.org
Iestyn Best
Jul 13, 2016, 10:39:22 PM7/13/16
to qubes-users, qube...@riseup.net
I am interested to see if someone can provide a guide since there is no template available.
Andrew David Wong
Jul 14, 2016, 4:07:52 AM7/14/16
to Iestyn Best, qubes-users, qube...@riseup.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2016-07-13 19:39, Iestyn Best wrote:
> I am interested to see if someone can provide a guide since there is no
> template available.
>
FWIW, there may be a debian-8-minimal template available in 3.2:
> I am interested to see if someone can provide a guide since there is no
> template available.
>
https://groups.google.com/d/topic/qubes-devel/cekPfBqQMOI/discussion
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXh0hKAAoJENtN07w5UDAwUYAP+gNwippPA6V9YnlaWgSynTo7
SgUN/0xMl25L0LebrK8KnQhmVWThjXVAXdbQm1K0w8n6f1rgr0p7bStTXwzh2ZLA
B/lTqe7lRDEGz8ySrqbscGPALhJzL4V5UYE5iyfddxdkSy9RaaNh77rj9FvymWbb
gA3a9YfZX1Dn5nAJyW7s0ra2VcMqEHZ+5hwxWlzVxVwj7qVLrVVUvojSI5CBdFM4
EndwWd7PlSMD4XbyA4p0pU1QAEZBSWBJi4brKrvstmlxRS+NQ+TAQ6eF534FB5NJ
nKoxexLXxEGoyKXlZ9eTHjBkh1UXOJN7NW1w+12ip+KSSDwzmhrpoL8IA4zSSGJ9
dPGm83ov39t/0OEmwcCZsmlsEciR32vbTtOf0Nr4eNVYiasUIb8uJ2m7Gt9Aix6Z
4YdCtGnBvoipz/VSttNMuqdAttfQc6mm7M8IMSWSrAh0bRUccYo7xs+4AF/ALWLE
JrFSCkaCJ0W+QOcezckXmpvqpkQIP7Zi2mwoq4c1mge2WTpiYMEpa52Tb/aYIwMZ
BAzY0Wlds01lxiN/l/UHpyUYksU6xjGbsf4P9pfymtD5R5XSGgqaHROa0nCCACww
I5uJ6awPtc2sOgI5giAPtJBoclI2Bhp/zytNl7OPv+pc/aG5MFvZ80cBUk0V0FGL
anWo0v8xnBTUE3A5sVD/
=qLAR
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages