Update sys-net and sys-firewall to fedora-25?

[cqui...@gmail.com]

Hi, I read around a bit but didn't really find much on this. I just created fedora-24 and fedora-25 vms following the docs pages. Since these are newer versions of the fedora os, should I switch sys-net and sys-firewall to use fedora-25 as a template instead of fedora-23, or should I just leave it as is?

Thanks!

[yura...@gmail.com]

On Thursday, October 19, 2017 at 1:18:21 PM UTC, cqui...@gmail.com wrote:
> Hi, I read around a bit but didn't really find much on this. I just created fedora-24 and fedora-25 vms following the docs pages. Since these are newer versions of the fedora os, should I switch sys-net and sys-firewall to use fedora-25 as a template instead of fedora-23, or should I just leave it as is?
>
> Thanks!

Fedora 23 is not supported by Fedora anymore, hench you don't get the important updates. For example, just last monday, a major crisis happened with Wi-Fi, leaving essentially all Wi-Fi networks across the planet vulnurable, especially those in Linux/Android, but also Windows/iOS/etc, not to mention all routors have to be updated too. This update won't come to Fedora 23, you will get the update for Fedora 25 however. This is just an example, using Fedora 23 is likely to be a big security issue. Dom0 being Fedora is less of a concern though, since it has no internet connection, and all system commnucation with Dom0 to VM's is updated by the Qubes team/Xen. Qubes still send updates to fedora-23 for the qubes toosl, but fedora-23 itself isn't being updated anymore.

Essentially the Qubes command to upgrade/install the template should include all the Qubes tools, so it shouldn't be a problem to replace them in the Qubes Global Settings, as well as the individual VM's.

[yura...@gmail.com]

On Thursday, October 19, 2017 at 1:18:21 PM UTC, cqui...@gmail.com wrote:

> Hi, I read around a bit but didn't really find much on this. I just created fedora-24 and fedora-25 vms following the docs pages. Since these are newer versions of the fedora os, should I switch sys-net and sys-firewall to use fedora-25 as a template instead of fedora-23, or should I just leave it as is?
>
> Thanks!

It's also recommended to refrain from using Fedora 24 as well, since it's fully discontinued by 2017-08-08, as you can see here. Even Fedora 25 is reaching end of line soon, but it is still being updated.
https://en.wikipedia.org/wiki/List_of_Fedora_Releases

[[799]]

Hello,

as your sys-vms will connect to the outside world, I would recommend to run those with an OS which gets proper patches/updates.

As mentioned in another thread, it is easily possible to switch the sys-vms to fedora-25.

I'm running fedora 25 for all my VMs (Qubes 3.2).

I suggest that you keep the names of the sys-vms as I've run into a few issues when changing the names.

How to migrate:

1) download/install fedora-25 or fedora-25-minimal template in dom0

2) clone this template in a "sys-template" and install some more packages

3) delete your old sys-vms

4) create new sys-vms.

I have written a script which will do all the above steps, so that you can easily start with a fresh copy of sys-vms.

One more thing: depending on your hardware it might be, that using a fedora-25-template instead of fedora-25-minimal will be better for sys-net.

But as with all VMs, you can easily change the template via dom0 afterwards.

I would recommend the fedora-25-minimal templates.

If you are interested I can send you the setupscripts to migrate from your existing sys-vms to fedora-25-minimal based sys-vms.

[799]

--

You received this message because you are subscribed to the Google Groups "qubes-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49518b9c-47ca-44a5-877d-20b4954a3c7e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[[799]]

Hello,

here you can find my scripts, which will rebuild all your sys-vms:

All scripts must be made executable with chmod +x FILENAME

1) qvm-destroy.sh

this script  is a helper script which can be used to kill and remove a VM in one step

I'd like to see an option in qvm-kill to get this done:

something like: qvm-kill --purge

Until then, this script should work (Warning: it will kill the VM without any further questions :-)

#!/bin/bash

# Kill a running AppVM and remove it

# Usage: qvm-destroy <Name-of-VM>

echo "Killing VM: $1"

qvm-kill $1

echo "Removing VM: $1"

qvm-remove $1

echo "Waiting for 5s (just to be sure)"

sleep 5s

2) create-t-fedora-25-minimal.sh

Built a custom template which will be used to create the new sys-vms

mytemplatevm is the name of the new template, which will then be used in step 3 to build the sys-vms.

I like to work with clones of the default templates, so that I can always go back to a standard template.

I name my VMs with t-... to indicate that this VM is a template VM.

#!/bin/bash

# Variables

templatebasevm=fedora-25-minimal

mytemplatevm=t-fedora-25-minimal

# Install templatebasevm (just to make sure it is available)

sudo qubes-dom0-update qubes-template-$templatebasevm

# Remove existing Template VM

echo "Killing VM: $mytemplatevm"

qvm-kill $mytemplatevm

echo "Removing VM: $mytemplatevm"

qvm-remove $mytemplatevm

echo "Waiting for 10s until everything is finished"

sleep 10s

# Create a new template based on default template

echo "Clone $templatebasevm to $mytemplatevm"

qvm-clone $templatebasevm $mytemplatevm

# Hide original template

qvm-prefs -s $templatebasevm internal true

qvm-prefs -s $mytemplatevm internal false

# Launch new template

echo Launch new template-vm $mytemplatevm

qvm-start --tray $mytemplatevm

echo "Wait for 10sec until $mytemplatevm VM is up"

sleep 10s

# Install Updates and additional packages

echo "Install updates and additional applications in $mytemplatevm"

qvm-run $mytemplatevm 'xterm -e "sudo dnf -y update && \

   sudo dnf -y install mc nano pass langpacks-en langpacks-de glibc-locale-source qubes-usb-proxy \

                       qubes-input-proxy-sender gnome-terminal terminus-fonts less dejavu-sans-fonts \

                       NetworkManager NetworkManager-wifi network-manager-applet wireless-tools dbus-x11 \

                       tinyproxy notification-daemon gnome-keyring iwl6000g2a-firmware keepass \

                       linux-firmware && \

                       shutdown -h now "'

echo "Wait until all updates have been installed"

read -p "Press Enter to continue"

3) create-my-sysvms.sh

This script will actually build the new sys-vms (and remove the old one before).

It will use the template you have created in step 2)

#!/bin/bash

systemplate=t-fedora-25-minimal

###### Kill and remove existing vms

./qvm-destroy sys-firewall

./qvm-destroy sys-net

./qvm-destroy sys-usb

###### Create a new Net VM

qvm-create --template $systemplate --label=red --net --mem=300 --vcpus=2 sys-net

# Disable PCI_Strictreset

# Attach PCI-Controllers  to AppVM

qvm-pci --add-class sys-net net

# Fix Wifi when waking up from Resume

# https://www.qubes-os.org/doc/wireless-troubleshooting

sleep 10s

qvm-run --auto sys-firewall 'xterm -e "sudo echo iwlmvm  >> /rw/config/suspend-module-blacklist && \

                                sudo echo iwlwifi >> /rw/config/suspend-module-blacklist "'

qvm-shutdown --wait --force sys-net

###### Create a new Firewall VM

qvm-create --template $systemplate --label=orange --proxy --mem=300 --vcpus=2 sys-firewall

#  Set Net-VM

qvm-prefs sys-firewall -s netvm sys-net

###### Create a new USB Qube

qvm-create --template $systemplate --label=red --net --mem=1024 --vcpus=2 sys-usb

# Disable PCI_Strictreset

qvm-prefs sys-usb -s pci_strictreset false

# Enable Autostart

qvm-prefs sys-usb -s autostart true

# Attach USB-Controllers  to AppVM

qvm-pci --add-class sys-usb usb

###### Start sys-vms

qvm-start sys-firewall

qvm-start sys-usb

4) create-default-sys-vms.sh

This script can be used to revert to the default sys-vms (based on the full fedora-25 default image, not the minimal image)

#!/bin/bash

###### Kill and remove existing vms

./qvm-destroy sys-firewall

./qvm-destroy sys-net

./qvm-destroy sys-usb

###### Create a new Net VM

qvm-create --template fedora-25 --label=red --net --mem=300 --vcpus=2 sys-net

# Disable PCI_Strictreset

# Attach PCI-Controllers  to AppVM

qvm-pci --add-class sys-net net

# Fix Wifi when waking up from Resume

# https://www.qubes-os.org/doc/wireless-troubleshooting

sleep 10s

qvm-run --auto sys-firewall 'xterm -e "sudo echo iwlmvm  >> /rw/config/suspend-module-blacklist && \

                                sudo echo iwlwifi >> /rw/config/suspend-module-blacklist "'

qvm-shutdown --wait --force sys-net

###### Create a new Firewall VM

qvm-create --template fedora-25 --label=orange --proxy --mem=300 --vcpus=2 sys-firewall

#  Set Net-VM

qvm-prefs sys-firewall -s netvm sys-net

###### Create a new USB VM

qvm-create --template fedora-25 --label=red --net --mem=1024 --vcpus=2 sys-usb

# Disable PCI_Strictreset

qvm-prefs sys-usb -s pci_strictreset false

# Enable Autostart

qvm-prefs sys-usb -s autostart true

# Attach USB-Controllers  to AppVM

qvm-pci --add-class sys-usb usb

###### Start sys-vms

qvm-start sys-firewall

qvm-start sys-usb

If you have any further questions do not hesitate to contact me, if you want you can also send me a private email.

[799]

[cooloutac]

Yes, I would just set all of them to use fedora-25 as their template.

[cooloutac]

On Saturday, October 21, 2017 at 9:39:44 AM UTC-4, [799] wrote:

I hope we can still use a gui with mouse clicks to do this stuff in 4.0 lmao....

Otherwise once 3.2 is eol, my family will find other solutions...

[cqui...@gmail.com]

I am testing 4.0r2 right now, and the lack of qubes-manager is a bit difficult to grasp as I didn't use the command line management stuff too much. I'm sure it will come together though.

OT: I ended up downloading the official fedora-25 templates and changed to those on 3.2. Thanks all!

[[799]]

Hello,

>> I hope we can still use a gui with mouse
>> clicks to do this stuff in 4.0 lmao.... 

I also hope that there is a replacement for Qubes Manager as (even as regular Qubes 3.2 User) Qubes 4.x feels much more complicated, compared to 3.2.

The Qubes Manager which was running on an own Workspace was the best way to see what is going on with one glance.
It was also possible to make adaptions to several VMs in one go.
If I want to switch the Net Template for 3 VMs it is much easier doing so from Qubes Manager instead of opening the upper left menu and click through the submenus to open AppVM Preferences.

>> Otherwise once 3.2 is eol, my family
>> will find other solutions... 

As it seems more users have issues with the current release (VMs not starting) and because of hardware dependencies I hope that 4 0 get "fixed".
I don't want to buy new hardware for Qubes 4 as I like to stay with Coreboot and the possible hardware which has enough power, is in 12" form factor and support Coreboot AND (!) Qubes 4.x seems to be small.

I still don't know if my X230 + Coreboot will run 4.x
Thereof I have also migrated back to 3.2.

[799]