Re: [qubes-users] qubesdb-write
51 views
Skip to first unread message
Marek Marczykowski-Górecki
Nov 26, 2015, 6:48:42 PM11/26/15
to shawn wilson, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
[moving to qubes-devel]
On Thu, Nov 26, 2015 at 06:30:12PM -0500, shawn wilson wrote:
> Where does /qubes-gateway and /qubes-secondary-dns get written?
>
> I've been grepping around and can't figure it out - i see start-ip
> (which I plan to alter with a /qubes-primary-dns vs just setting it to
> the same as the gateway) but can't find what sets these things.
Here, in dom0:
https://github.com/QubesOS/qubes-core-admin/blob/master/core-modules/000QubesVm.py#L1073-L1077
In dom0 this file is in
/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py
Also take a look at full list of qubesdb keys with description:
https://www.qubes-os.org/doc/vm-interface/
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWV5pWAAoJENuP0xzK19csoKkH/RB4NNK9f5k+CNz0u1yDFjSz
EyPk9U+yWxpi1TylnJNlxQK1bMoYA0guStD+BLwr2Wi1k531OKD4lSgVT6kk0EZ0
Pvg9a5Wd5TFhnkmnuWWYIacH6r3zLjuSqE5iZWOszZxiecmOE/37nLdW5utqW0b+
UYWPkDnXS2u3C2i7C+xFIS/XdCN+r2/Mge2vdG/kEUZzzHzT6nVRH3LlE33IR3VW
CeLwZkjTBerFXjjg9qJVwOcsVJME7Id2sbblLLVrG6bMfkFag0kLLn24Br4c9o6d
xJP+I75G5+K9aj3Zd7XjPUZttH4h4NoG4kuIuVFwAbSmuKWv/HNB/Dc0fQHt3AY=
=BuqH
-----END PGP SIGNATURE-----
Hash: SHA256
[moving to qubes-devel]
On Thu, Nov 26, 2015 at 06:30:12PM -0500, shawn wilson wrote:
> Where does /qubes-gateway and /qubes-secondary-dns get written?
>
> I've been grepping around and can't figure it out - i see start-ip
> (which I plan to alter with a /qubes-primary-dns vs just setting it to
> the same as the gateway) but can't find what sets these things.
Here, in dom0:
https://github.com/QubesOS/qubes-core-admin/blob/master/core-modules/000QubesVm.py#L1073-L1077
In dom0 this file is in
/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py
Also take a look at full list of qubesdb keys with description:
https://www.qubes-os.org/doc/vm-interface/
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWV5pWAAoJENuP0xzK19csoKkH/RB4NNK9f5k+CNz0u1yDFjSz
EyPk9U+yWxpi1TylnJNlxQK1bMoYA0guStD+BLwr2Wi1k531OKD4lSgVT6kk0EZ0
Pvg9a5Wd5TFhnkmnuWWYIacH6r3zLjuSqE5iZWOszZxiecmOE/37nLdW5utqW0b+
UYWPkDnXS2u3C2i7C+xFIS/XdCN+r2/Mge2vdG/kEUZzzHzT6nVRH3LlE33IR3VW
CeLwZkjTBerFXjjg9qJVwOcsVJME7Id2sbblLLVrG6bMfkFag0kLLn24Br4c9o6d
xJP+I75G5+K9aj3Zd7XjPUZttH4h4NoG4kuIuVFwAbSmuKWv/HNB/Dc0fQHt3AY=
=BuqH
-----END PGP SIGNATURE-----
shawn wilson
Nov 26, 2015, 9:16:11 PM11/26/15
to Marek Marczykowski-Górecki, qubes-devel
Ok, so is there a design decision stuff like this should come from
within the script and not a config file?
self.__secondary_dns = self.netprefix + "254"
from core-modules/005QubesNetVm.py:
I think it would be better to generate a config file on for each vm
that gets written to qubesdb.
Also, would it be better to have /qubes/<domain>/<resource> so that
work or untrusted might use the same firewall but maybe different dns
(or my real reason is that I'd eventually like to pass a cert to
certain VMs to temporarily add and use a transparent squid w/ sslbump
- but wouldn't want to keep/update that info in each /rw). I'm
thinking /qubes/work/gateway would override /qubes-gateway - so an
enhancement.
I guess, what I really want are more network config options
configurable from dom0 (somewhere in /etc/qubes) - and that can be
more easily expanded.
I think I can figure out how to do this, just curious whether this
would be acceptable upstream? Or whether I'm missing anything in what
I'm thinking?
within the script and not a config file?
self.__secondary_dns = self.netprefix + "254"
from core-modules/005QubesNetVm.py:
I think it would be better to generate a config file on for each vm
that gets written to qubesdb.
Also, would it be better to have /qubes/<domain>/<resource> so that
work or untrusted might use the same firewall but maybe different dns
(or my real reason is that I'd eventually like to pass a cert to
certain VMs to temporarily add and use a transparent squid w/ sslbump
- but wouldn't want to keep/update that info in each /rw). I'm
thinking /qubes/work/gateway would override /qubes-gateway - so an
enhancement.
I guess, what I really want are more network config options
configurable from dom0 (somewhere in /etc/qubes) - and that can be
more easily expanded.
I think I can figure out how to do this, just curious whether this
would be acceptable upstream? Or whether I'm missing anything in what
I'm thinking?
Marek Marczykowski-Górecki
Nov 27, 2015, 7:13:49 AM11/27/15
to shawn wilson, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Thu, Nov 26, 2015 at 09:15:50PM -0500, shawn wilson wrote:
> Ok, so is there a design decision stuff like this should come from
> within the script and not a config file?
> self.__secondary_dns = self.netprefix + "254"
> from core-modules/005QubesNetVm.py:
Yes. The idea is to have "some" address there and then DNAT it to the
> Ok, so is there a design decision stuff like this should come from
> within the script and not a config file?
> self.__secondary_dns = self.netprefix + "254"
> from core-modules/005QubesNetVm.py:
real DNS. So VM doesn't need to know the real DNS address (and be
updated on each change). Actually every VM could use the same "virtual"
address for DNS servers - as the traffic will be DNATed a moment later
anyway. But currently this virtual DNS address depends on VM directly
providing network to particular (App)VM.
> I think it would be better to generate a config file on for each vm
> that gets written to qubesdb.
>
> Also, would it be better to have /qubes/<domain>/<resource> so that
> work or untrusted might use the same firewall but maybe different dns
> (or my real reason is that I'd eventually like to pass a cert to
> certain VMs to temporarily add and use a transparent squid w/ sslbump
> - but wouldn't want to keep/update that info in each /rw). I'm
> thinking /qubes/work/gateway would override /qubes-gateway - so an
> enhancement.
(like xenstore). So /qubes-gateway in one VM theoretically could be
totally different than in another. If you want different to use
different DNS servers in different VMs, I see few ways to do that:
1. Override in /rw/config/rc.local - not the most reliable (will not
work after online netvm switch), but the simplest
2. Have different DNAT rules in firewallvm (or wherever your VMs are
connected to), using source address in iptables rules (can be done using
/rw/config/qubes-firewall-user-script)
3. Have different actual content of /etc/resolv.conf in different VMs,
based on /qubes-dns from Qubes DB set by dom0 (not existing yet -
/qubes-gateway is used now). This would require much more changes - both
adding this property in dom0 code, and modifying VM code to actually use
it.
+FYdoKXTerdMOl4bpxQg6AZf1ZoYBa0dvfjalZH6w10R7qMorpA5i5SjTvDL7Tx5
3dsaINwsyHtWf3EBREJK4bzWIuecrf8wREp+Pd999NLp+2C6wcBYFlmlWsKa4ZNX
MJbARYK0w8Euz72jfX5dLo8wLk9JZh1xpfcQQ8CKcsF8IGaugGFMkkrqxGXnFMGl
MVSsL60XlaYVqa//ZJYKHOCX1vYCATB38xOLgYUIeuLvThmrnF2QvuyX5UvoNT6I
a5qaPbzvcfd9ccpfRH60Ba4uutHgBhhvk1up9vPGstr5mNtMKfh3PMwicEtVt20=
=MldK
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages