hvm templates without qubes-agent? making windows a non net connected dispvm
43 views
Skip to first unread message
pixel fairy
Jun 27, 2018, 2:40:29 PM6/27/18
to qubes-devel
Id like to make templates based desktop oses which cant run the qubes agent. i have two use cases,
1) running virt-manager locally instead of over ssh -X (i like spice)
2) probably more interesting, making the windows installation a template for dispvms.
in the case of 2, im thinking of 3n7r...s post on windows10 with a proxy machine running freerdp, https://groups.google.com/forum/#!topic/qubes-users/dB_OU87dJWA
this would need the connected vm also running to give that file to windows. can freerdp or some other mechanism (pywinrm?) tell the windows vm to open that file?
Marek Marczykowski-Górecki
Jun 27, 2018, 5:37:21 PM6/27/18
to pixel fairy, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
For things like qvm-open-in-dvm you need qubes agents installed
(especially qrexec agent). Without this, you can setup some less
secure solution using for example inter-vm network for copying files. It
won't be fully "non net connected", but you can use firewall to limit
where VM can connect.
But to create TemplateVM which can be used later as a base for other
VMs, you don't need anything special. Just remember that the primary
disk (the one with 10GB, or bigger if you enlarge it) can be modified
only in TemplateVM - modifications done in TemplateBaseVM will be lost
after restart (same as modifications outside of /rw in Linux). There is
a second disk (2GB by default) which can be used for persistent data in
TemplateBasedVM, but without qubes windows tools you need to setup
filesystem there manually.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAls0A4oACgkQ24/THMrX
1yxamAgAlVeDCBJBhdFg8niwxrQIM5gCaa/VpBsXMOYwEkTffpUx4GXsZ2rfsRe9
Be+8JWyb0+Mao9/YsE9d30n2ELuwM5sKtfvnp3KiYOYiGvIUIig6fdSgFlYT34WH
xjsvSqURqVD1c/eguEI9WoHxswcI6TX8QY1Aa77xm8VbG1bRGjspzXhr7GcU5G5p
3rqRd5/Opj5PEVza/PlFxdiCnYDWrF0YD0QNC1obfmURuo9b1wfgTAYQyHDLtcMg
nvRzRV9dkzr8u8pLnn7YVj/Z/VAqDxROMhHsIwSuWMJ2hn/6pWKl3yaGSfMZU/BM
TSc8YZTLphl1rn7I15Vyd2k0s/zp6Q==
=NUnE
-----END PGP SIGNATURE-----
Hash: SHA256
(especially qrexec agent). Without this, you can setup some less
secure solution using for example inter-vm network for copying files. It
won't be fully "non net connected", but you can use firewall to limit
where VM can connect.
But to create TemplateVM which can be used later as a base for other
VMs, you don't need anything special. Just remember that the primary
disk (the one with 10GB, or bigger if you enlarge it) can be modified
only in TemplateVM - modifications done in TemplateBaseVM will be lost
after restart (same as modifications outside of /rw in Linux). There is
a second disk (2GB by default) which can be used for persistent data in
TemplateBasedVM, but without qubes windows tools you need to setup
filesystem there manually.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAls0A4oACgkQ24/THMrX
1yxamAgAlVeDCBJBhdFg8niwxrQIM5gCaa/VpBsXMOYwEkTffpUx4GXsZ2rfsRe9
Be+8JWyb0+Mao9/YsE9d30n2ELuwM5sKtfvnp3KiYOYiGvIUIig6fdSgFlYT34WH
xjsvSqURqVD1c/eguEI9WoHxswcI6TX8QY1Aa77xm8VbG1bRGjspzXhr7GcU5G5p
3rqRd5/Opj5PEVza/PlFxdiCnYDWrF0YD0QNC1obfmURuo9b1wfgTAYQyHDLtcMg
nvRzRV9dkzr8u8pLnn7YVj/Z/VAqDxROMhHsIwSuWMJ2hn/6pWKl3yaGSfMZU/BM
TSc8YZTLphl1rn7I15Vyd2k0s/zp6Q==
=NUnE
-----END PGP SIGNATURE-----
pixel fairy
Jun 27, 2018, 6:26:03 PM6/27/18
to qubes-devel
On Wednesday, June 27, 2018 at 2:37:21 PM UTC-7, Marek Marczykowski-Górecki wrote:
> For things like qvm-open-in-dvm you need qubes agents installed
> (especially qrexec agent). Without this, you can setup some less
> secure solution using for example inter-vm network for copying files. It
> won't be fully "non net connected", but you can use firewall to limit
> where VM can connect.
yes, thats what i meant. it only talks to proxyvm, nothing else. the linux hvm would talk to the proxy vm and have internet access.
> For things like qvm-open-in-dvm you need qubes agents installed
> (especially qrexec agent). Without this, you can setup some less
> secure solution using for example inter-vm network for copying files. It
> won't be fully "non net connected", but you can use firewall to limit
> where VM can connect.
>
> But to create TemplateVM which can be used later as a base for other
> VMs, you don't need anything special. Just remember that the primary
will it then use the updatevm for updates like the shipped templates or is that an internal customization?
Marek Marczykowski-Górecki
Jun 27, 2018, 6:56:16 PM6/27/18
to pixel fairy, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Wed, Jun 27, 2018 at 03:26:03PM -0700, pixel fairy wrote:
> On Wednesday, June 27, 2018 at 2:37:21 PM UTC-7, Marek Marczykowski-Górecki wrote:
>
> > For things like qvm-open-in-dvm you need qubes agents installed
> > (especially qrexec agent). Without this, you can setup some less
> > secure solution using for example inter-vm network for copying files. It
> > won't be fully "non net connected", but you can use firewall to limit
> > where VM can connect.
>
> yes, thats what i meant. it only talks to proxyvm, nothing else. the linux hvm would talk to the proxy vm and have internet access.
>
> >
> > But to create TemplateVM which can be used later as a base for other
> > VMs, you don't need anything special. Just remember that the primary
>
> once the vm is made, how is it marked as, or converted to, a template?
You need to create it as a template. Use qvm-create --class TemplateVM
> On Wednesday, June 27, 2018 at 2:37:21 PM UTC-7, Marek Marczykowski-Górecki wrote:
>
> > For things like qvm-open-in-dvm you need qubes agents installed
> > (especially qrexec agent). Without this, you can setup some less
> > secure solution using for example inter-vm network for copying files. It
> > won't be fully "non net connected", but you can use firewall to limit
> > where VM can connect.
>
> yes, thats what i meant. it only talks to proxyvm, nothing else. the linux hvm would talk to the proxy vm and have internet access.
>
> >
> > But to create TemplateVM which can be used later as a base for other
> > VMs, you don't need anything special. Just remember that the primary
>
> once the vm is made, how is it marked as, or converted to, a template?
(Qubes 4.0 only). The apply other settings (like virt_mode hvm).
You can also clone existing StandaloneVM to make it a template:
qvm-clone --class TemplateVM YOUR_STANDALONEVM_NAME NEW_TEMPLATE_NAME
> will it then use the updatevm for updates like the shipped templates or is that an internal customization?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
1ywSlAf/U0D3xthOQgSTBdngrtWrKbilj+rGNZd2GRAj2LBDx+0QehrAI+85JM1x
kJTEt6mWSN0yPBnyMk1TofzG+TwiWynJCfS0sINRKuZBmzxMpxQszrh4F4Sn3NIw
MUK3ynQYHv+AL79VamyWN6/mb+nYSuTlRV5thWS1WZzaF379Kbl5JY9F6Jpecokt
lCGe6Grd80q/DRsTBpjf8C64JfYdzblAYI/6hmtZwhL+3F3eoIUU4k6GaK7idXhc
H840/VfJ1em5cMm7FnTMur6t3V7QrI3tWLCuxyZaylnFLdTAJtnjPDTj7bJ6oPCr
vEZ2fVZUs7N3XvLU76X+Yw/f/l1iPA==
=N8pX
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages