dispvms in qubes 4.0

266 views
Skip to first unread message

pixel fairy

unread,
Nov 8, 2017, 10:12:24 PM11/8/17
to qubes-devel
Ive tried creating them with 

qvm-create --class DispVM --template fedora25 --label red mydvm
app
: Error creating VM: Got empty response from qubesd. See Journalctl in dom0 for details.

the last line of that was 

AttributeError: 'TemplateVM' object has no attribute 'template_for_dispvms'

so i tried

qvm-create --class AppVM --template fedora-25 --label red mydvm
qvm
-prefs mydvm template_for_dispvms True

which seemed to work, but mydvm was a standart appvm. 

qvm-prefs mydvm dispvm_allowed True
qvm
-prefs: error: no such property: 'dispvm_allowed'

so how does one create and modify dispvms in qubes 4?

I was able to clone the fedora-25 template. modify that, and set that as the template vm to an existing dispvm, but then when you have to update packages, you have to download Nx as much data (number of dispvm templates), so i hope thats not the only way.

Marek Marczykowski-Górecki

unread,
Nov 8, 2017, 10:22:06 PM11/8/17
to pixel fairy, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Template for DispVM needs to be an AppVM. So, first create AppVM (or use
fedora-25-dvm provided for this purpose), then set
template_for_dispvms=True and use that AppVM for your DispVM.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaA8nXAAoJENuP0xzK19cs4TwH/jTELGSnozW2c5tlOzVSZv+S
DQ1f+gM8BXCaiyuRSjA/bxVub4uV+exrtba+hr2Zhs4FK2qpY66myv7ShY5SHydg
+s35binYZSJmerA2Sq7fEQuJxi3Bxy8mW4YvyEoLvISOF36MnvhKIEbxcwrBQoJW
nCkVJ8HW1bQHNDwgX+f5Jy7Eb9WBuvIdAqprCq1rkm8qk86CzGcdtR4r5tZbYhpF
HypphEu5QyV3sUqeGKdsViO+vtIX4HW7R7OyoIeMQ7ZRtYA5klW1iq5uEhCDcnHA
8RoWyDloQgWjEnc1hb24cK8yGH1R8CIAS55xz2vyIpbWje6Ji1oZM7o7KRG66EE=
=EPRC
-----END PGP SIGNATURE-----

pixel fairy

unread,
Nov 8, 2017, 10:59:24 PM11/8/17
to qubes-devel


Template for DispVM needs to be an AppVM. So, first create AppVM (or use
fedora-25-dvm provided for this purpose), then set
template_for_dispvms=True and use that AppVM for your DispVM.

Still confused. The second thing i tried above was make an appvm, then set template_for_dispvms=True.
that command returned without error, but it made a standard AppVM, preserving data. 

Just tried making an appvm to use as a template for a dispvm,

qvm-create --class AppVM --template fedora-25 --label black dispvm-template
qvm
-prefs dispvm-template template_for_dispvms True
qvm
-create --class DispVM --template dispvm-template --label red mydvm


That created a DispVM thats only visible from qvm-ls, and somehow has a black border if you start it with qvm-start. its the only one listed as a DispVM. the two working ones, fedora-25-dvm and whonix-ws-dvm are listed as AppVM

Trying the third command with --class AppVM gave an error in journalct that ended with "TypeError: wrong VM class: domains[<AppVM at ... name='dispvm-template'...] is of type AppVM and not TemplateVM"

pixel fairy

unread,
Nov 8, 2017, 11:06:17 PM11/8/17
to qubes-devel
Also tried

qvm-create --class AppVM --template fedora-25-dvm --label red my-other-dvm 
and got "... is of type AppVM and not TemplateVM" as above

qvm-create --class DispVM --template fedora-25-dvm --label red my-other-dvm 
made another invisible dispvm, does not show up on any menus, but this time with a red label. 


Marek Marczykowski-Górecki

unread,
Nov 8, 2017, 11:08:27 PM11/8/17
to pixel fairy, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hmm, what exactly to do you want to achieve? The above "qvm-create
- --class DispVM ..." is the correct one. It creates DispVM which can be
later started etc. And when you shutdown it, all its state (private
volume etc) is discarded. Initially it get all its properties from its
template, so this is why it got black border. Indeed it is confusing and
could be improved. You can change the border using qvm-prefs.

But if you want to create one-time-use DispVM, based on some AppVM -
just like qvm-open-in-dvm or tools does, you need to start a service
specifically in a new DispVM, using qvm-run --dispvm. For example:

qvm-run --dispvm=dispvm-template --service qubes.StartApp+xterm

This will create _new_ DispVM (with name like disp1234), start
qubes.StartApp+xterm service there (so, launch an application from
/usr/share/applications/xterm.deskop - xterm). And when that application
exit, destroy the DispVM.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaA9S2AAoJENuP0xzK19csAp0H/RGr3oTkiHwjO2f+4+JFCmOT
GuCihCxXi2DVLhpbCxl2WL+toOsKg229hKS33Q/G5Dlmc/ZbrVXMd8/QL7ZKQN0X
TCewmg+jVGK0H0UUJ6ZwOZB8pMqrsgLvczw3AZ3nKuNPj3bgAIMpReKnTbVLSM7b
9YbinyIwY7i73bgbTaw/EpYqHDeKjHbol79xg2bpoSvoGw7O7VD9wkvhGcyKNUw/
ST9bLU+xXrkfR11b8by6EQsAe45xX0Fkc6AshiYYSbKL5wcFNvdqeaUPtCzv14ab
X/bMKoiZCV5+n2wQqib43O6I8h9WSQdmrPVS50npeR6+blafohaJzHY4hfP0l9c=
=gt06
-----END PGP SIGNATURE-----

pixelfairy

unread,
Nov 8, 2017, 11:32:51 PM11/8/17
to Marek Marczykowski-Górecki, qubes-devel
On Wed, Nov 8, 2017 at 8:08 PM Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Nov 08, 2017 at 07:59:24PM -0800, pixel fairy wrote:
>
> >
> >
> >
> > Template for DispVM needs to be an AppVM. So, first create AppVM (or use
> > fedora-25-dvm provided for this purpose), then set
> > template_for_dispvms=True and use that AppVM for your DispVM.
> >
>
> Still confused. The second thing i tried above was make an appvm, then set
> template_for_dispvms=True.
> that command returned without error, but it made a standard AppVM,
> preserving data.
>
> Just tried making an appvm to use as a template for a dispvm,
>
> qvm-create --class AppVM --template fedora-25 --label black dispvm-template
> qvm-prefs dispvm-template template_for_dispvms True
> qvm-create --class DispVM --template dispvm-template --label red mydvm
>
>
> That created a DispVM thats only visible from qvm-ls, and somehow has a
> black border if you start it with qvm-start. its the only one listed as a
> DispVM. the two working ones, fedora-25-dvm and whonix-ws-dvm are listed as
> AppVM
>
> Trying the third command with --class AppVM gave an error in journalct that
> ended with "TypeError: wrong VM class: domains[<AppVM at ...
> name='dispvm-template'...] is of type AppVM and not TemplateVM"

Hmm, what exactly to do you want to achieve? The above "qvm-create

make a customized dvm with menus that show up in the top left. Ideally, this 
would behave like the qubes-3.2 version. so for example, browser settings 
could be customized, and the dvm would still update when the template vm does.
 
- --class DispVM ..." is the correct one. It creates DispVM which can be
later started etc. And when you shutdown it, all its state (private
volume etc) is discarded. Initially it get all its properties from its
template, so this is why it got black border. Indeed it is confusing and
could be improved. You can change the border using qvm-prefs.

yes, it is confusing. But after this thread the docs can be made clear.

seems qvm-create ignored the label flag in those two cases. 
"qvm-run myvm gnome-terminal" works as you describe, deleting the 
dummy text file i left in ~. but there was no indication of this. it started "mydvm" 
instead of dispNNNN.

no menus for mydvm or my-other-dvm showed up in the top left menu widget. 
nor any indication that these new dispvms exist, other than seeing them in qvm-ls.

Marek Marczykowski-Górecki

unread,
Nov 9, 2017, 12:01:44 AM11/9/17
to pixelfairy, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Well, a VM name is just a VM name. Having dispNNNN name does not
guarantee that it is really DispVM. You can freely create AppVM with
such name, or even TemplateVM, if you really want...

If you want some naming convention, apply it on your own.

> no menus for mydvm or my-other-dvm showed up in the top left menu widget.
> nor any indication that these new dispvms exist, other than seeing them in
> qvm-ls.

DispVMs do not have menu entries on its own, on purpose - to not trash
the menu with a lot of dispNNNN entries, and also to not slow down its
creation.
Maybe this should only apply to "dynamic" DispVMs - those created just
for one service call...

But, you can say that you want menu entries for an AppVM to launch
applications in a new DispVM created from it. Just like it is done for
fedora-25-dvm. To enable this feature for your own AppVMs, use
qvm-features tool:

qvm-features dispvm-template appmenus-dispvm 1

See man qvm-features for details.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaA+ExAAoJENuP0xzK19csVVEH/RkLfTR2h8Emk49xDgSIb5W4
6G71msWiJ9nsqJXMHpZ4ZEfFs4E9GCY5N3pdPUZrPd9dnpNq3IruZ6KLjTKSzSaD
XbTl2XgG/O3z+iktXCa1YErMIBjiKhgb/be6J3qIRXIry5wQM6a1Zc94FFSrfusC
sP//1XHRSaQtzc+AevWQJf4m26SRacqh313RiOdKn5hQMWvgSy0W0OkJShLwr2vD
HCL0v0qsyRdAoCvBN42f2CUFwPTPWFaNIjevk/sbxLVwjzOruu7WERD12CXfMUSO
5kSsp5dJyaxZb+I5rxBoT8f08lKvMnyvlmkyv7r0nHvO4fl24g3ehPVNilyRL6Q=
=Dne9
-----END PGP SIGNATURE-----

pixel fairy

unread,
Nov 9, 2017, 12:34:30 AM11/9/17
to qubes-devel
I meant menu entries that start the dispvm. for example, when you call firefox 
from the fedora-25-dvm multiple times, it makes multiple dispvms. I dont want dispNNNN
to show up in that menu. i agree that it would be silly.
 
Maybe this should only apply to "dynamic" DispVMs - those created just
for one service call...

But, you can say that you want menu entries for an AppVM to launch
applications in a new DispVM created from it. Just like it is done for
fedora-25-dvm. To enable this feature for your own AppVMs, use
qvm-features tool:

    qvm-features dispvm-template appmenus-dispvm 1

that worked for dispvm-template, but no menu for mydvm.

If you deleted fedora-25-dvm, how would you re create it?

Reply all
Reply to author
Forward
0 new messages