Safe Arch install

[Demi M. Obenour]

Is it possible to build an Arch install ISO in addition to the
TemplateVM RPMs? I would prefer to avoid copying the RPMs into
my dom0, whereas installing from an ISO has no such problems.
Alternatively, is it possible to extract a root filesystem image
from an RPM and safely (without compromising dom0) import it into a
fresh TemplateVM?

Alternatively, does ITL distribute Arch template packages? I could
not find them in the repositories.

Sincerely,

Demi

[dhorf-qrir...@hashmail.org]

On Sun, May 24, 2020 at 02:36:00PM -0400, Demi M. Obenour wrote:
> Is it possible to build an Arch install ISO in addition to the
> TemplateVM RPMs? I would prefer to avoid copying the RPMs into
> my dom0, whereas installing from an ISO has no such problems.

that is actualy worse than copying a rpm to dom0.

> Alternatively, is it possible to extract a root filesystem image
> from an RPM and safely (without compromising dom0) import it into a
> fresh TemplateVM?

https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh

can be run in either dom0 or (with a lot of policy adjustments
or a bazillion manual approvals and minor changes) an adminapi-vm.

it is also mostly trivial to install the template-root right
from the buildvm. (skipping the "rpm" part entirely)

[Demi M. Obenour]

On 2020-05-24 14:49, dhorf-qrir...@hashmail.org wrote:
> On Sun, May 24, 2020 at 02:36:00PM -0400, Demi M. Obenour wrote:
>> Is it possible to build an Arch install ISO in addition to the
>> TemplateVM RPMs? I would prefer to avoid copying the RPMs into
>> my dom0, whereas installing from an ISO has no such problems.
>
> that is actualy worse than copying a rpm to dom0.

I meant installing a qube from an ISO image in another qube.

>> Alternatively, is it possible to extract a root filesystem image
>> from an RPM and safely (without compromising dom0) import it into a
>> fresh TemplateVM?
>
> https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh
>
> can be run in either dom0 or (with a lot of policy adjustments
> or a bazillion manual approvals and minor changes) an adminapi-vm.
>
> it is also mostly trivial to install the template-root right
> from the buildvm. (skipping the "rpm" part entirely)

How does one do that? That sounds promising.

Sincerely,

Demi

[dhorf-qrir...@hashmail.org]

On Sun, May 24, 2020 at 03:01:50PM -0400, Demi M. Obenour wrote:

> > https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh
> >
> > can be run in either dom0 or (with a lot of policy adjustments
> > or a bazillion manual approvals and minor changes) an adminapi-vm.
> >
> > it is also mostly trivial to install the template-root right
> > from the buildvm. (skipping the "rpm" part entirely)
>
> How does one do that? That sounds promising.

see above shellscript for the general basic outline of "how to turn
a template rpm into a template vm".

most of the qvm-something steps are also avail in appvms through
the adminapi these days. (== can be called from a buildvm)

for "skipping the rpm part" prototype see
https://github.com/QubesOS/qubes-builder/pull/87
and related PRs/diffs.

both the shellscript and builder integration are fully functional,
but need cleanup before they can be merged.
the main open issue is how to integrate a template-specific
settings-file (the "tplspec" parts) with the build process.
this is mostly needed for the mirage templates.

[Demi M. Obenour]

That makes sense. Writing to a qube’s root volume from dom0 is a
safe operation, since it doesn’t do anything that the qube could
not already do itself. It would be nice if that could be done by
`qvm-block import`, though.

Sincerely,

Demi

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You can do that with `qvm-volume import`. And with some adjustments to
the qrexec policy, you can do that even from your buildvm.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7K0fMACgkQ24/THMrX
1yzLFQf9FUU670LSbL8EOQYADryVyxxisnzeExfeMq0EpbprYys0Alv33JeeVQ7n
GwFyC5KavAVWYB6dya92PBNp1lOt+znl016+dNAFXBQ2PMSn2WGDdJLYkC0Ld03r
2Pv0wyYzkNuicX9EYmeitHN+EFzNX0NTDo+jqupYaHkBCd8wjtx3LjaZ/h5hgmwD
ecyTbYHYRvrVXkmGM2DPxUd1UMsL9ZSAaMLwfId0rctoj6uUt7Xrp/XIKbRjGuwB
r6bvuBdT+Sq/YSYmulqxyKxjstImgJ/8aFJTBPA8zia/8b+U7mS0YDD10YUzrbXK
01swbNokTRbO7kqRLHrI72HrQyiJTg==
=2C1r
-----END PGP SIGNATURE-----

[Demi M. Obenour]

On 2020-05-24 15:58, Marek Marczykowski-Górecki wrote:>> That makes sense. Writing to a qube’s root volume from dom0 is a

>> safe operation, since it doesn’t do anything that the qube could
>> not already do itself. It would be nice if that could be done by
>> `qvm-block import`, though.
>
> You can do that with `qvm-volume import`. And with some adjustments to
> the qrexec policy, you can do that even from your buildvm.

Something like

buildvm arch ask,target=dom0

in `/etc/qubes-rpc/policy/admin.vm.volume.Import+root`?

Sincerely,

Demi

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Yes.
In practice, qvm-volume may want also:
- - admin.vm.volume.Resize+root
- - admin.vm.volume.Info+root
- - admin.vm.List (unfortunately...)

and possibly few more.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7K4K0ACgkQ24/THMrX
1yyKXQf/U0YrjZAcxmRTZUmYi/C19V7hi8eGv/8i2KP6Xx0Ns9Ri7No5UB428Eo5
ItnNWpMTkLEJRcSXCjsQQjERx/wiNpF/PujF8pEA70ZBZ7nRXZROXkXlhfGK2kW9
P9OEtCeKxsAooXEZD69BIA0KifvR5fILyRNlkyW578W6AFilZcMaeVq+BykbKAZM
Z03iE6F6hWVl2xgsm7niDUlpD/C7mJ4QRTGnoiRpcWOTdcUw8Od6YhrGXtvTKejS
2ofkVh5Yo9reSwSXkwlGPpUMw/vFoKhi9Rv6V0Ie4tB+Ffhpuq6V/r6ZEIVkqDRz
HnrUjG8HY6EHqUAlPfkGrtwpihYz/Q==
=W/KE
-----END PGP SIGNATURE-----