Debian template
243 views
Skip to first unread message
Olivier Médoc
Mar 21, 2014, 5:53:43 AM3/21/14
to qubes...@googlegroups.com
Hello,
As I seen that David Steinn Geirsson is working on a debian template, I
think it could be good to share our tips on building/converting OSs and
Agents based on apt/.deb.
For instance, we tried to convert a livecd based on ubuntu to a Qubes
template. What we have done so far:
- Create linux-template-builder scripts that initialize the system by:
1/ Extracting the squashfs from the ISO
2/ Mount the squashfs
3/ Copy the content of the squashfs on INSTALLDIR (using cp -r -p)
On the linux-template-builder side, we wanted to use ubiquity to install
the template, but it is GUI based and it crash with dbus errors. For
this reason, we just copied the whole squashfs content. Is there any
console mode for ubiquity ?
- Try to convert qubes agents and make them work in a HVM where the ISO
has been installed:
1/ Attempts to convert fc18 agents packages using Alien: FAILED
2/ Attempts to extract archlinux agents packages in / using tar: TODO
We are now waiting because david has apparently some results. David, did
you managed to make qrexec work ? How did you installed the agents ?
Have you any debian build scripts ?
As I seen that David Steinn Geirsson is working on a debian template, I
think it could be good to share our tips on building/converting OSs and
Agents based on apt/.deb.
For instance, we tried to convert a livecd based on ubuntu to a Qubes
template. What we have done so far:
- Create linux-template-builder scripts that initialize the system by:
1/ Extracting the squashfs from the ISO
2/ Mount the squashfs
3/ Copy the content of the squashfs on INSTALLDIR (using cp -r -p)
On the linux-template-builder side, we wanted to use ubiquity to install
the template, but it is GUI based and it crash with dbus errors. For
this reason, we just copied the whole squashfs content. Is there any
console mode for ubiquity ?
- Try to convert qubes agents and make them work in a HVM where the ISO
has been installed:
1/ Attempts to convert fc18 agents packages using Alien: FAILED
2/ Attempts to extract archlinux agents packages in / using tar: TODO
We are now waiting because david has apparently some results. David, did
you managed to make qrexec work ? How did you installed the agents ?
Have you any debian build scripts ?
Marek Marczykowski-Górecki
Mar 21, 2014, 6:04:07 AM3/21/14
to Olivier Médoc, qubes...@googlegroups.com
On 21.03.2014 10:53, Olivier Médoc wrote:
> Hello,
>
> As I seen that David Steinn Geirsson is working on a debian template, I think
> it could be good to share our tips on building/converting OSs and Agents based
> on apt/.deb.
>
> For instance, we tried to convert a livecd based on ubuntu to a Qubes
> template. What we have done so far:
> - Create linux-template-builder scripts that initialize the system by:
> 1/ Extracting the squashfs from the ISO
> 2/ Mount the squashfs
> 3/ Copy the content of the squashfs on INSTALLDIR (using cp -r -p)
>
> On the linux-template-builder side, we wanted to use ubiquity to install the
> template, but it is GUI based and it crash with dbus errors. For this reason,
> we just copied the whole squashfs content. Is there any console mode for
> ubiquity ?
Perhaps debootstrap will do the job.
> Hello,
>
> As I seen that David Steinn Geirsson is working on a debian template, I think
> it could be good to share our tips on building/converting OSs and Agents based
> on apt/.deb.
>
> For instance, we tried to convert a livecd based on ubuntu to a Qubes
> template. What we have done so far:
> - Create linux-template-builder scripts that initialize the system by:
> 1/ Extracting the squashfs from the ISO
> 2/ Mount the squashfs
> 3/ Copy the content of the squashfs on INSTALLDIR (using cp -r -p)
>
> On the linux-template-builder side, we wanted to use ubiquity to install the
> template, but it is GUI based and it crash with dbus errors. For this reason,
> we just copied the whole squashfs content. Is there any console mode for
> ubiquity ?
> - Try to convert qubes agents and make them work in a HVM where the ISO has
> been installed:
> 1/ Attempts to convert fc18 agents packages using Alien: FAILED
> 2/ Attempts to extract archlinux agents packages in / using tar: TODO
>
> We are now waiting because david has apparently some results. David, did you
> managed to make qrexec work ? How did you installed the agents ? Have you any
> debian build scripts ?
>
>
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Outback Dingo
Mar 21, 2014, 8:54:53 AM3/21/14
to Marek Marczykowski-Górecki, Olivier Médoc, qubes...@googlegroups.com
On Fri, Mar 21, 2014 at 6:04 AM, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
On 21.03.2014 10:53, Olivier Médoc wrote:Perhaps debootstrap will do the job.
> Hello,
>
> As I seen that David Steinn Geirsson is working on a debian template, I think
> it could be good to share our tips on building/converting OSs and Agents based
> on apt/.deb.
>
> For instance, we tried to convert a livecd based on ubuntu to a Qubes
> template. What we have done so far:
> - Create linux-template-builder scripts that initialize the system by:
> 1/ Extracting the squashfs from the ISO
> 2/ Mount the squashfs
> 3/ Copy the content of the squashfs on INSTALLDIR (using cp -r -p)
>
> On the linux-template-builder side, we wanted to use ubiquity to install the
> template, but it is GUI based and it crash with dbus errors. For this reason,
> we just copied the whole squashfs content. Is there any console mode for
> ubiquity ?
definately use deboostrap.............!!!!!!!!!!
Davíð Steinn Geirsson
Mar 22, 2014, 10:32:16 AM3/22/14
to Olivier Médoc, qubes...@googlegroups.com
Hi,
On Fri, 21 Mar 2014 10:53:43 +0100
Olivier Médoc <o_m...@yahoo.fr> wrote:
> Hello,
>
> As I seen that David Steinn Geirsson is working on a debian template,
> I think it could be good to share our tips on building/converting OSs
> and Agents based on apt/.deb.
>
> For instance, we tried to convert a livecd based on ubuntu to a Qubes
> template. What we have done so far:
> - Create linux-template-builder scripts that initialize the system by:
> 1/ Extracting the squashfs from the ISO
> 2/ Mount the squashfs
> 3/ Copy the content of the squashfs on INSTALLDIR (using cp -r
> -p)
>
> On the linux-template-builder side, we wanted to use ubiquity to
> install the template, but it is GUI based and it crash with dbus
> errors. For this reason, we just copied the whole squashfs content.
> Is there any console mode for ubiquity ?
As others have said, the best (and canonical) way of installing
debian-based distros from a running linux system is to use debootstrap.
It's also much easier.
I haven't started on any template building scripts yet, my first
priority is to get the qubes integration stuff packaged and working in
HVM. After that's done, building the template should be fairly easy.
>
> - Try to convert qubes agents and make them work in a HVM where the
> ISO has been installed:
> 1/ Attempts to convert fc18 agents packages using Alien: FAILED
> 2/ Attempts to extract archlinux agents packages in / using tar:
> TODO
>
> We are now waiting because david has apparently some results. David,
> did you managed to make qrexec work ? How did you installed the
> agents ? Have you any debian build scripts ?
I do indeed. Your mail gave me the needed push to at least publish what
I have currently working. :)
You can find the packaging in git here:
http://www.dsg.is/qubes/
Currently working, at least to some extent (in some cases I've skipped
parts from the packaging for now):
core-vchan-xen
linux-kernel
linux-utils
core-agent-linux
gui-common
These repositories should all have GPG signed tags signed using the
attached key (not the same key I use for signing mail). The key ID
should be should be 254F1EA0644CF100.
Installing the first four should get you working qrexec after enabling
it from dom0:
qvm-prefs -s <vmname> qrexec_installed True
For the VM, I have a clean minimal install of debian in a HVM.
Use the username 'user' when installing the system and add NOPASSWD to
sudoers as some of the qubes scripts depend on that. Add /proc/xen
mount to your fstab:
xen /proc/xen xenfs defaults 0 0
You'll also have to set a static network configuration for now.
Some stuff I want to fix in the future:
* Split packages into seperate lib, dev and util packages. Currently
it's one qubes repo = one package.
* Get rid of all the remaining lintian warnings.
* Verify Depends and Build-depends are correct - probably missing some
stuff still.
* Write helper scripts for ifupdown to set correct network
configuration from xenstore
Right now, my primary goal is to get the GUI stuff working. My time for
working on this is limited though, so any help would be appreciated.
Best,
Davíð
On Fri, 21 Mar 2014 10:53:43 +0100
Olivier Médoc <o_m...@yahoo.fr> wrote:
> Hello,
>
> As I seen that David Steinn Geirsson is working on a debian template,
> I think it could be good to share our tips on building/converting OSs
> and Agents based on apt/.deb.
>
> For instance, we tried to convert a livecd based on ubuntu to a Qubes
> template. What we have done so far:
> - Create linux-template-builder scripts that initialize the system by:
> 1/ Extracting the squashfs from the ISO
> 2/ Mount the squashfs
> 3/ Copy the content of the squashfs on INSTALLDIR (using cp -r
> -p)
>
> On the linux-template-builder side, we wanted to use ubiquity to
> install the template, but it is GUI based and it crash with dbus
> errors. For this reason, we just copied the whole squashfs content.
> Is there any console mode for ubiquity ?
debian-based distros from a running linux system is to use debootstrap.
It's also much easier.
I haven't started on any template building scripts yet, my first
priority is to get the qubes integration stuff packaged and working in
HVM. After that's done, building the template should be fairly easy.
>
> - Try to convert qubes agents and make them work in a HVM where the
> ISO has been installed:
> 1/ Attempts to convert fc18 agents packages using Alien: FAILED
> 2/ Attempts to extract archlinux agents packages in / using tar:
> TODO
>
> We are now waiting because david has apparently some results. David,
> did you managed to make qrexec work ? How did you installed the
> agents ? Have you any debian build scripts ?
I have currently working. :)
You can find the packaging in git here:
http://www.dsg.is/qubes/
Currently working, at least to some extent (in some cases I've skipped
parts from the packaging for now):
core-vchan-xen
linux-kernel
linux-utils
core-agent-linux
gui-common
These repositories should all have GPG signed tags signed using the
attached key (not the same key I use for signing mail). The key ID
should be should be 254F1EA0644CF100.
Installing the first four should get you working qrexec after enabling
it from dom0:
qvm-prefs -s <vmname> qrexec_installed True
For the VM, I have a clean minimal install of debian in a HVM.
Use the username 'user' when installing the system and add NOPASSWD to
sudoers as some of the qubes scripts depend on that. Add /proc/xen
mount to your fstab:
xen /proc/xen xenfs defaults 0 0
You'll also have to set a static network configuration for now.
Some stuff I want to fix in the future:
* Split packages into seperate lib, dev and util packages. Currently
it's one qubes repo = one package.
* Get rid of all the remaining lintian warnings.
* Verify Depends and Build-depends are correct - probably missing some
stuff still.
* Write helper scripts for ifupdown to set correct network
configuration from xenstore
Right now, my primary goal is to get the GUI stuff working. My time for
working on this is limited though, so any help would be appreciated.
Best,
Davíð
tim.t...@gmail.com
Apr 2, 2014, 5:41:52 PM4/2/14
to qubes...@googlegroups.com, Olivier Médoc, da...@dsg.is
Hello Davith,
I have autimated your instructions with a python script and uploaded the script here: https://github.com/timthelion/qubes-tools-debian
The end result is that you can build the debfiles and an instalation ISO within a fedora based AppVM, and then you can mount the ISO and run the automated installer in debian. This gets me to the point where "Run command in VM" works. Nothing else seems to though. Is there anything else working at this point?
I'm not proud of my code(I've really been throwing it together without much thought or planning), but it seems to work. For me, personally, having an HVM that has the qubes tools is actually better than a TemplateVM, so I'll probably try to maintain this install method in one form or another.
Tim
I have autimated your instructions with a python script and uploaded the script here: https://github.com/timthelion/qubes-tools-debian
The end result is that you can build the debfiles and an instalation ISO within a fedora based AppVM, and then you can mount the ISO and run the automated installer in debian. This gets me to the point where "Run command in VM" works. Nothing else seems to though. Is there anything else working at this point?
I'm not proud of my code(I've really been throwing it together without much thought or planning), but it seems to work. For me, personally, having an HVM that has the qubes tools is actually better than a TemplateVM, so I'll probably try to maintain this install method in one form or another.
Tim
Outback Dingo
Apr 2, 2014, 7:02:12 PM4/2/14
to tim.t...@gmail.com, qubes...@googlegroups.com, Olivier Médoc, da...@dsg.is
--
Sweet, go go go...... Id love to get off the fedora bloat..... debian would be choice, Arch second. keep up the good work
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
Visit this group at http://groups.google.com/group/qubes-devel.
For more options, visit https://groups.google.com/d/optout.
Outback Dingo
Apr 2, 2014, 7:44:52 PM4/2/14
to tim.t...@gmail.com, qubes...@googlegroups.com, Olivier Médoc, da...@dsg.is
On Wed, Apr 2, 2014 at 7:02 PM, Outback Dingo <outbac...@gmail.com> wrote:
On Wed, Apr 2, 2014 at 5:41 PM, <tim.t...@gmail.com> wrote:
Hello Davith,
I have autimated your instructions with a python script and uploaded the script here: https://github.com/timthelion/qubes-tools-debian
The end result is that you can build the debfiles and an instalation ISO within a fedora based AppVM, and then you can mount the ISO and run the automated installer in debian. This gets me to the point where "Run command in VM" works. Nothing else seems to though. Is there anything else working at this point?
I'm not proud of my code(I've really been throwing it together without much thought or planning), but it seems to work. For me, personally, having an HVM that has the qubes tools is actually better than a TemplateVM, so I'll probably try to maintain this install method in one form or another.
Tim--Sweet, go go go...... Id love to get off the fedora bloat..... debian would be choice, Arch second. keep up the good work
might want to notate in the README.md, the error is based on term settings, but other might be put off by it
Selecting previously unselected package python-magic.
Unpacking python-magic (from .../python-magic_5.11-2+deb7u3_amd64.deb) ...
Setting up adduser (3.113+nmu3) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
Setting up cron (3.0pl1-124) ...
Adding group `crontab' (GID 102) ...
Done.
invoke-rc.d: policy-rc.d denied execution of start.
Setting up ifupdown (0.7.8) ...
Creating /etc/network/interfaces.
tim.t...@gmail.com
Apr 3, 2014, 6:51:42 AM4/3/14
to qubes...@googlegroups.com, tim.t...@gmail.com, Olivier Médoc, da...@dsg.is
I've added a note to the README. So.... Did it work?
Tim
Tim
Outback Dingo
Apr 3, 2014, 10:04:13 AM4/3/14
to tim.t...@gmail.com, qubes...@googlegroups.com, Olivier Médoc, da...@dsg.is
On Thu, Apr 3, 2014 at 6:51 AM, <tim.t...@gmail.com> wrote:
I've added a note to the README. So.... Did it work?
Tim
--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
Visit this group at http://groups.google.com/group/qubes-devel.
For more options, visit https://groups.google.com/d/optout.
yes, i did have to run the script twice, but did end up with an iso, ill test mouting it today and installing from it.
tim.t...@gmail.com
Apr 3, 2014, 10:33:14 AM4/3/14
to qubes...@googlegroups.com, tim.t...@gmail.com, Olivier Médoc, da...@dsg.is
I have no idea why it fails the first time. It's some sort of bug in docker, but I haven't chassed it down yet.
Tim
Tim
Davíð Steinn Geirsson
Apr 3, 2014, 5:14:21 PM4/3/14
to tim.t...@gmail.com, qubes...@googlegroups.com, Olivier Médoc
Hi,
On Wed, 2 Apr 2014 14:41:52 -0700 (PDT)
tim.t...@gmail.com wrote:
> Hello Davith,
>
> I have autimated your instructions with a python script and uploaded
> the script here: https://github.com/timthelion/qubes-tools-debian
Great to hear! :)
>
> The end result is that you can build the debfiles and an instalation
> ISO within a fedora based AppVM, and then you can mount the ISO and
> run the automated installer in debian. This gets me to the point
> where "Run command in VM" works. Nothing else seems to though. Is
> there anything else working at this point?
Not really. I haven't had much time to work on this recently. I'm
currently stuck on getting gui-agent-linux working. Xorg runs, loads
dummyqbs graphics and qubesdev input, X programs seem to start,
qubes-guid is running on dom0 side, but windows do not appear on the
dom0 side.
>
> I'm not proud of my code(I've really been throwing it together
> without much thought or planning), but it seems to work. For me,
> personally, having an HVM that has the qubes tools is actually better
> than a TemplateVM, so I'll probably try to maintain this install
> method in one form or another.
I'm not sure I agree with your criticism of templates. As long as you
follow some basic rules when dealing with the templates (mainly to never
run anything except the package manager and a text editor), they can be
equally secure as standalone machines. I agree that the default qubes
template is a bit bloated, I would prefer to start with a very minimal
template, and then clone it a few times for different purposes (media,
web browsing, development, etc).
In the rare cases where I really need to install something from
outside the repos, I just install it under the user homedir on the
(untrusted) AppVM. When the debian template is working, this will be
even rarer due to the wealth of software in the repos.
>
> Tim
Best regards,
Davíð
On Wed, 2 Apr 2014 14:41:52 -0700 (PDT)
tim.t...@gmail.com wrote:
> Hello Davith,
>
> I have autimated your instructions with a python script and uploaded
> the script here: https://github.com/timthelion/qubes-tools-debian
>
> The end result is that you can build the debfiles and an instalation
> ISO within a fedora based AppVM, and then you can mount the ISO and
> run the automated installer in debian. This gets me to the point
> where "Run command in VM" works. Nothing else seems to though. Is
> there anything else working at this point?
currently stuck on getting gui-agent-linux working. Xorg runs, loads
dummyqbs graphics and qubesdev input, X programs seem to start,
qubes-guid is running on dom0 side, but windows do not appear on the
dom0 side.
>
> I'm not proud of my code(I've really been throwing it together
> without much thought or planning), but it seems to work. For me,
> personally, having an HVM that has the qubes tools is actually better
> than a TemplateVM, so I'll probably try to maintain this install
> method in one form or another.
follow some basic rules when dealing with the templates (mainly to never
run anything except the package manager and a text editor), they can be
equally secure as standalone machines. I agree that the default qubes
template is a bit bloated, I would prefer to start with a very minimal
template, and then clone it a few times for different purposes (media,
web browsing, development, etc).
In the rare cases where I really need to install something from
outside the repos, I just install it under the user homedir on the
(untrusted) AppVM. When the debian template is working, this will be
even rarer due to the wealth of software in the repos.
>
> Tim
Best regards,
Davíð
Reply all
Reply to author
Forward
0 new messages