Install a CentOS HVM with a debug-window = mo seamless mode

[[799]]

Hello,

I'd like to switch from using VMware Workstation to Qubes to test/specific software for customers.

I want to setup a CentOS HVM and created a HVM, attached a CentOS minimal ISO and installed it without any problem.
After restart I was unable to get a Terminal window as qrexec is not installed.
I tried to boot into a normal "HVM-window" by disabling seamless mode and enabling Debug mode, but I could get any window.

Questions:

a) how can I get a terminal window to install additional applications

b) can I install the missing Qubes parts later on to get seamless mode working and to launch applications from dom0 (qrexec...)

c) is it possible to create a standalone HVM based on an existing Qubes template?

Kind regards

[799]

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Oct 13, 2017 at 01:11:05AM -0400, '[799]' via qubes-users wrote:
> Hello,
>
> I'd like to switch from using VMware Workstation to Qubes to test/specific software for customers.
>
> I want to setup a CentOS HVM and created a HVM, attached a CentOS minimal ISO and installed it without any problem.
> After restart I was unable to get a Terminal window as qrexec is not installed.
> I tried to boot into a normal "HVM-window" by disabling seamless mode and enabling Debug mode, but I could get any window.

Did you switched "guiagent_installed" and/or "qrexec_installed"
properties? Both should be set to "false", unless you really installed
those components inside.

> Questions:
>
> a) how can I get a terminal window to install additional applications

Without qubes packages inside, the only option is emulated VGA window -
make sure both guiagent_installed and qrexec_installed are set to false.

> b) can I install the missing Qubes parts later on to get seamless mode working and to launch applications from dom0 (qrexec...)

Not easily. Theoretically both qrexec and gui agent should just work,
but in practice packages shipping them depends on specific system
configuration - for example system being installed on /dev/xvda, without
partition table. This is improved for Qubes OS 4.0 - packages are split into
smaller parts and it is possible to install just parts you want, without
the whole system reconfiguring stuff.
Also, for Qubes OS 4.0 recently we've got repository with CentOS 7
packages:
https://yum.qubes-os.org/r4.0/current-testing/vm/centos7/

I hope there will also pre-built template available soon.

But for now, if you're brave enough, you can add the above repository
(key for package verification is here:
https://github.com/QubesOS/qubes-builder-centos/blob/master/keys/RPM-GPG-KEY-qubes-4-centos)
and install qubes-core-agent-qrexec and qubes-gui-agent. Make a VM
backup first...

> c) is it possible to create a standalone HVM based on an existing Qubes template?

Yes, qvm-create --standalone --template TEMPLATE_NAME ...

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZ37a4AAoJENuP0xzK19csW3MH+wZhVWtLc3AGra2EYn/OzIRq
QHPGFE3tE3J5/3MSKRUJYJrpnSLw2Ce4+Cw9D7QIYm7f2QdKs2rYzixqZQHFkdeS
iFprJf9WcdP2YFAAZK81RHCENlMoWJYfgAWDm/XBwD7rZGojmVCs7Yb1LFWFoo8U
WIkXTSbnv+VAWGzdg5dfh12hZEgk8SOQpkMOf+ozIayy9wzYH2S3HEK04idgCmEi
H0w/xsbdus6AApkCEYohx2zw4HuyB8RvqQRHik3hI5vl/NPI9HWeQlx/nlT+Gdl+
nsI9elRme1Bo6CtHjsteHG5wUnmG3zcAe2s9fGUTtSLTI0gaMVlcO0UfB4vpU8A=
=QfUj
-----END PGP SIGNATURE-----

[[799]]

Hello Marek,

first of all thanks for all your qualified answers (not only in my but also other threads).

> Did you switched "guiagent_installed" and/or "qrexec_installed"

> properties? Both should be set to "false", unless you really installed

> those components inside.

Ok, now I understand, I've read something about qrexec_installed somewhere in the documentation, but I didn't understand in which context this was meant.

Yes, I've verified quiagent_installed and qrexec_installed and both are set to False.

>> b) can I install the missing Qubes parts later on to get seamless mode

>> working and to launch applications from dom0 (qrexec...)

> Not easily. Theoretically both qrexec and gui agent should just work

> but in practice packages shipping them depends on specific system

> configuration [...]

> This is improved for Qubes OS 4.0 - packages are split into

> smaller parts and it is possible to install just parts you want, without

> the whole system reconfiguring stuff.

I tried to run Qubes 4.0rc1 on my X230 but ran into problems, as I am now addionally running Coreboot I don't know if this adds even more complexity and thought about waiting until Qubes 4.0rc2 comes out.

>> c) is it possible to create a standalone HVM based on an existing Qubes template?

> Yes, qvm-create --standalone --template TEMPLATE_NAME ...

Wow, I didn't know that, I think this is the best approach, as I have the benefits from both worlds:

1) all qubes part to be able to run seamless mode (if needed)

2) all flexibility of a HVM to add additional packages etc.

As I want to migrate the HVM later on to vsphere (see my other thread which you have also answered :-) it might be a good idea to remove all specific qubes packages after the HVM has been migrated.

*** Question ***

Which packages should/can I uninstall to remove the specific Qubes parts (which are not needed after the VM has been migrated)?

My HVM which I've build with a standard centos-minimal ISO is now booting up in a window, which is great unfortunately it seems to stuck at boot.

I have removed rhgb quiet from GRUB when starting up to see what is going on and the VM is booting up very slowly and is then stucked with the last message:

[1.443023] [TTM] Initializing DMA pool allocator

I've waited for ~5 min but nothing happens after this.

*** Question ***

Do you have any idea why the boot is stucket after/at: "[1.443023] [TTM] Initializing DMA pool allocator"

[799]

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, Oct 14, 2017 at 09:39:20AM -0400, [799] wrote:
> Hello Marek,
>
> first of all thanks for all your qualified answers (not only in my but also other threads).
>
> > Did you switched "guiagent_installed" and/or "qrexec_installed"
> > properties? Both should be set to "false", unless you really installed
> > those components inside.
>
> Ok, now I understand, I've read something about qrexec_installed somewhere in the documentation, but I didn't understand in which context this was meant.
> Yes, I've verified quiagent_installed and qrexec_installed and both are set to False.
>
> >> b) can I install the missing Qubes parts later on to get seamless mode
> >> working and to launch applications from dom0 (qrexec...)
>
> > Not easily. Theoretically both qrexec and gui agent should just work
> > but in practice packages shipping them depends on specific system
> > configuration [...]
> > This is improved for Qubes OS 4.0 - packages are split into
> > smaller parts and it is possible to install just parts you want, without
> > the whole system reconfiguring stuff.
>
> I tried to run Qubes 4.0rc1 on my X230 but ran into problems, as I am now addionally running Coreboot I don't know if this adds even more complexity and thought about waiting until Qubes 4.0rc2 comes out.
>
> >> c) is it possible to create a standalone HVM based on an existing Qubes template?
>
> > Yes, qvm-create --standalone --template TEMPLATE_NAME ...

Oh, sorry, I've mixed Qubes 4.0 and 3.2 feature set.
In Qubes 3.2 it is slightly more complex:
qvm-create --hvm --root-copy-from
/var/lib/qubes/vm-templates/TEMPLATE_NAME/root.img ...

But for that to work, you need to install grub and kernel in the
template first. Because of lack of partition table on such root.img, you
need `grub2-install --force /dev/xvda` there. See here for additional
steps:
https://www.qubes-os.org/doc/managing-vm-kernel/#using-kernel-installed-in-the-vm

Then set qrexec_installed and guiagent_installed to true.

> Wow, I didn't know that, I think this is the best approach, as I have the benefits from both worlds:
> 1) all qubes part to be able to run seamless mode (if needed)
> 2) all flexibility of a HVM to add additional packages etc.
>
> As I want to migrate the HVM later on to vsphere (see my other thread which you have also answered :-) it might be a good idea to remove all specific qubes packages after the HVM has been migrated.

This will not be that easy. When you base your VM on a Qubes template,
it will have a lot of Qubes-related packages installed. It will probably
not work outside of Qubes...

> *** Question ***
> Which packages should/can I uninstall to remove the specific Qubes parts (which are not needed after the VM has been migrated)?

Short answer is: everything named qubes-*. But then you'll need to
recreate at least /etc/fstab. And probably some networking settings.
Maybe something more...

> My HVM which I've build with a standard centos-minimal ISO is now booting up in a window, which is great unfortunately it seems to stuck at boot.
> I have removed rhgb quiet from GRUB when starting up to see what is going on and the VM is booting up very slowly and is then stucked with the last message:
>
> [1.443023] [TTM] Initializing DMA pool allocator
>
> I've waited for ~5 min but nothing happens after this.

See what you have on emulated serial console:
sudo xl console NAME_OF_VM
(if that doesn't work, try adding `-t pv` option)

If nothing, add `console=hvc0` to kernel command line and try
again.
What kernel version you have there?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZ4IaJAAoJENuP0xzK19csRGsH/0KSkjsbAobL2tf8sFjNMn3y
HlkFZtvShsV850HxnW6AcBI4/NvXug0u+8jg0ePjUvJvCDlkoTYMC0g4zmQhO3sl
t1eAdk9341XfNH3vQrZ3GFCSNBJ3E5Px5BYQN3O5o671suFyG+HbOBasgx10LBsG
GoPOYRQRyGd/fYy6VPniyKSTx/TJFcJCBcCdeuXS0cFg2wdjiA810/b3+LLIE6Jz
550QjhuxnD4xiTLCJOgOelHkSwKmsua8r8T/EiAAbtcZWHQw7QpuVjqdxa07yaeb
beKesjgzebPstvWiyaCx2MzddWR6G69K877KI+qthKLEHmWD+Ne/hpG0Ahotg8U=
=F84m
-----END PGP SIGNATURE-----

[[799]]

Sorry for reposting shortly, but I need to add something more:

>>> is it possible to create a standalone HVM based on an existing Qubes template?

>> Yes, qvm-create --standalone --template TEMPLATE_NAME ...

> Wow, I didn't know that, I think this is the best approach, as I have the benefits from both worlds

I tried to follow your suggestion and created new VM based on an existing template:

qvm-create --standalone --template=t-fedora-25-minimal --label=blue --mem=2048 --vcpus=2 my-test

But this will create an AppVM not a HVM which is based on the choosen template.

I've installed some packages, rebooted and the changes where persistent, but we were talking about HVMs not AppVMs - as far as I understand (reading from the Qubes docu):

HVM (Hardware Virtual Machine) =  fully virtualized, or hardware-assisted, VM utilizing the virtualization extensions of the host CPU

Whereas the AppVM is a paravirtualized VM.

Strangely I don't see the Enable Seamless Mode button in Qubes Manager with the VM I have created with the above command.

When enabling Debug-Mode there is also now Boot-Up/Full VM-window, the (standalone App)VM is a seamless VM. If I use qvm-run to open applications the appear without any problems.

So what is the benefit of using Debug Mode?

There are no options "qrexec_installed" and "guiagent_installed", these seem to exist only with HVMs.

*** Question ***

Is it also possible to migrate a standalone AppVM to vsphere with the hint you gave me?

[799]

[[799]]

Hello Marek,

as the original question has been answered (what needs to be done to get seamless mode) has been answered, I think we should cover the other topic in a separate thread.

I'll answer to your feedbackthere.

[799]