ANN: Qubes network server
129 views
Skip to first unread message
Manuel Amador (Rudd-O)
Oct 11, 2016, 3:31:25 PM10/11/16
to qubes-users, qubes-devel
Folks, it gives me great pleasure to announce the product of over two
years of work (primarily because I never paid enough attention to this
project to bring it to completion): Qubes network server.
The traditional Qubes OS networking model contemplates a client-only use
case. User VMs (AppVMs or StandaloneVMs) are attached to ProxyVMs, which
give the user control over outbound connections taking place from user
VMs. ProxyVMs in turn attach to NetVMs, which provide outbound
connectivity for ProxyVMs and other user VMs alike.
Qubes network server changes all that. With the Qubes network server
software, it becomes possible to make network servers in user VMs
available to other machines, be them peer VMs in the same Qubes OS
system or machines connected to a physical link shared by a NetVM. You
get actual, full, GUI control over network traffic, both exiting the VM
and entering the VM, with exactly the same Qubes OS user experience you
are used to.
This is all, of course, opt-in, so the standard Qubes OS network
security model remains in effect until you decide to share network servers.
Anyway, without further ado:
https://github.com/Rudd-O/qubes-network-server
Real easy: clone, build, install, test. I tested it with Qubes 3.1, but
it's very likely that it'll work fine in Qubes 3.2. I recommend you
test this on a Qubes machine that is not your main Qubes machine, but
the code does not do anything funky, and uninstalling the program should
be enough to revert your system back to its original state.
I hope we can turn this add-on into a core Qubes feature. As always,
contributions to the project — reports, code enhancements, pull
requests, other items — are very much welcome!
--
Rudd-O
http://rudd-o.com/
years of work (primarily because I never paid enough attention to this
project to bring it to completion): Qubes network server.
The traditional Qubes OS networking model contemplates a client-only use
case. User VMs (AppVMs or StandaloneVMs) are attached to ProxyVMs, which
give the user control over outbound connections taking place from user
VMs. ProxyVMs in turn attach to NetVMs, which provide outbound
connectivity for ProxyVMs and other user VMs alike.
Qubes network server changes all that. With the Qubes network server
software, it becomes possible to make network servers in user VMs
available to other machines, be them peer VMs in the same Qubes OS
system or machines connected to a physical link shared by a NetVM. You
get actual, full, GUI control over network traffic, both exiting the VM
and entering the VM, with exactly the same Qubes OS user experience you
are used to.
This is all, of course, opt-in, so the standard Qubes OS network
security model remains in effect until you decide to share network servers.
Anyway, without further ado:
https://github.com/Rudd-O/qubes-network-server
Real easy: clone, build, install, test. I tested it with Qubes 3.1, but
it's very likely that it'll work fine in Qubes 3.2. I recommend you
test this on a Qubes machine that is not your main Qubes machine, but
the code does not do anything funky, and uninstalling the program should
be enough to revert your system back to its original state.
I hope we can turn this add-on into a core Qubes feature. As always,
contributions to the project — reports, code enhancements, pull
requests, other items — are very much welcome!
--
Rudd-O
http://rudd-o.com/
Manuel Amador (Rudd-O)
Oct 12, 2016, 1:31:01 PM10/12/16
to qubes-users, qubes-devel
Update:
I have dramatically enhanced the documentation of the project:
* https://github.com/Rudd-O/qubes-network-server
*
https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20your%20first%20server.md
*
https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20an%20SSH%20server.md
This project is now ready and documented enough to be useful to users of
Ansible Qubes who want to remotely manage clusters of Qubes OS machines:
*
https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Remote%20management%20of%20Qubes%20OS%20servers.md
*
https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Enhance%20your%20Ansible%20with%20Ansible%20Qubes.md
I strongly welcome anyone who tries this and shares their experiences.
It is my goal to get this to be a key part of the Qubes OS strategy.
--
Rudd-O
http://rudd-o.com/
I have dramatically enhanced the documentation of the project:
* https://github.com/Rudd-O/qubes-network-server
*
https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20your%20first%20server.md
*
https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20an%20SSH%20server.md
This project is now ready and documented enough to be useful to users of
Ansible Qubes who want to remotely manage clusters of Qubes OS machines:
*
https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Remote%20management%20of%20Qubes%20OS%20servers.md
*
https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Enhance%20your%20Ansible%20with%20Ansible%20Qubes.md
I strongly welcome anyone who tries this and shares their experiences.
It is my goal to get this to be a key part of the Qubes OS strategy.
--
Rudd-O
http://rudd-o.com/
Message has been deleted
Manuel Amador (Rudd-O)
Nov 6, 2016, 7:07:55 PM11/6/16
to Max, qubes-users, qubes...@googlegroups.com
On 11/05/2016 03:54 PM, Max wrote:
>
> Thanks for the response!
>
> I ran this and also ran 'sudo dnf install go' when I came across the following error: 'go is needed by qubes-network-server-0.0.4-1.fc23.noarch'.
A commit is now out which eliminates this dependency.
> I then did the cd into the cloned folder and the 'make rpm' function has appeared to have worked.
>
> I followed the steps to get this to Dom0 and then installed the RPM. It may be better to add to the documentation 'sudo rpm -ivh qns.rpm' as I wasn't initially sure that I actually had to name the file. It helps the noobs!
>
> The purpose for me for installing the network server was to be able to ping my Debian VM from my Windows VM.
>
> These are the configuration steps I took subsequent to install:
>
> 1) Created a ProxyVM named server-proxy.
> 2) Changed the NetVM on both work-apps (my Debian 8 VM) and windows-7 (HVM) to the new ProxyVM
Sorry, I should have clarified that HVMs are not supported at all. I am
very, very sorry. I need to do more work to get HVMs to work properly
("more" is an euphemism for I have totally forgotten so far to support
that use case). It is totally my fault that I did not explain this in
the documentation. My bad. I have updated the documentation to reflect
that.
If you could help me, do report what happens when you ping between a
Fedora and a Debian AppVM, or two Debian AppVMs.
--
Rudd-O
http://rudd-o.com/
>
> Thanks for the response!
>
> I ran this and also ran 'sudo dnf install go' when I came across the following error: 'go is needed by qubes-network-server-0.0.4-1.fc23.noarch'.
A commit is now out which eliminates this dependency.
> I then did the cd into the cloned folder and the 'make rpm' function has appeared to have worked.
>
> I followed the steps to get this to Dom0 and then installed the RPM. It may be better to add to the documentation 'sudo rpm -ivh qns.rpm' as I wasn't initially sure that I actually had to name the file. It helps the noobs!
>
> The purpose for me for installing the network server was to be able to ping my Debian VM from my Windows VM.
>
> These are the configuration steps I took subsequent to install:
>
> 1) Created a ProxyVM named server-proxy.
> 2) Changed the NetVM on both work-apps (my Debian 8 VM) and windows-7 (HVM) to the new ProxyVM
Sorry, I should have clarified that HVMs are not supported at all. I am
very, very sorry. I need to do more work to get HVMs to work properly
("more" is an euphemism for I have totally forgotten so far to support
that use case). It is totally my fault that I did not explain this in
the documentation. My bad. I have updated the documentation to reflect
that.
If you could help me, do report what happens when you ping between a
Fedora and a Debian AppVM, or two Debian AppVMs.
--
Rudd-O
http://rudd-o.com/
Reply all
Reply to author
Forward
0 new messages