Installing software..

149 views
Skip to first unread message

Steven Walker

unread,
Mar 19, 2019, 12:59:47 PM3/19/19
to qubes-users
I am still pretty new to Qubes. I have managed to create a new qube, but I want to install some software for use with this qube. I have read that it has to be installed to the template and not the actual qube. As the template has no actual network connection, how do I go about this?

Using 4.0.1, Fedora 29

Any help greatly appeciated.

Steve

haaber

unread,
Mar 19, 2019, 6:33:46 PM3/19/19
to qubes...@googlegroups.com
that is fine, don't worry. The templates (if you have a std install)
will fetch their updates through sys-whonix in a miraculous way (see
here https://www.qubes-os.org/doc/software-update-vm/#updates-proxy ),
even if there is no NetVM for them. Just run dnf update and then dnf
install whatsoever and see what happens :) Simply Enjoy great software.
Bernhard

Steven Walker

unread,
Mar 21, 2019, 6:08:04 PM3/21/19
to qubes-users
Is that through the terminal in dom0 or the template?

haaber

unread,
Mar 21, 2019, 8:37:27 PM3/21/19
to qubes...@googlegroups.com
> Is that through the terminal in dom0 or the template?

if you are more specific, it is easier to answer. I would avoid
installing things in dom0 (only exception: entire template-vms). Other
software is installed in the templateVMs and then (after reboot)
available in the AppVMs based on that template. StandaloneVMs of will
course have software directly installed, as the name "stand alone"
suggests.

22...@tutamail.com

unread,
Mar 22, 2019, 9:07:38 AM3/22/19
to qubes-users
Steven,
I am going to assume you have created an AppVM i.e. a Qube based on a Template (vs a Stand alone VM). In this scenario you would install any software into the template.

Instructions:
1) I would suggest you clone your Fedora-29 template so you have a clean template. This is key as installing any 3rd party software is a security/privacy risk, if you screw up you can delete the clone and make a new one from the original trusted/clean template. You do this via a GUI by going to Qubes icon on the top left -> System tools -> Qubes Manager -> Highlight Template in Qubes Manager -> Right click on template -> Clone Qube

2) You will need to temporarily allow access to this template to the net. In Qubes Manager highlight cloned template -> right click -> Qubes Settings -> Basic tab -> Networking drop down -> Allow access to your Firewall Qube (Make very sure to return it to "None" when you have finished installing your software

3) Install your software into the clone. Qubes icon on the top left -> Go to your cloned template -> Terminal -> enter the install terminal commands, the commands to install libreoffice are:

sudo dnf install libreoffice

4) Shutdown template, change network setting back to "None" on the template, then create your AppVM. You should now see your new software.

Debian and whonix have slightly different commands in the terminal but the logic is the same.

Some additional best practices include:
* Never install anything into Dom0
* Check the keys to make sure your software is verified
* Minimize the software you install, make multiple cloned templates and install only the essential software you need. i.e. I have some templates that include libreoffice, Nano, VPN stuff and 1 template that has all
* Not sure but I don't think your software will update in the template, you might have to periodically re-create the template/software.

Totally open to feedback and criticism if this direction is wrong or needs clarification...

Good luck and welocme to Qubes.

deepda...@gmail.com

unread,
Mar 22, 2019, 9:00:32 PM3/22/19
to qubes-users
Thank you, 22. Would you recommend installing software through the terminal, or can you use the same procedure - enabling the network - to install software via the software manager?

I did install Libre Office using your instructions, and it came out perfect. As I had already created an appvm, I just selected the clone as the template, and it worked out fine.

Would you recommend cloning the whonix template too, for any changes. I am bacailly only adding bookmarks and passwords to whonix.

Many thanks,

Steven

unman

unread,
Mar 22, 2019, 10:09:42 PM3/22/19
to qubes-users
The suggestion in (2) is wrong. There are very few situations where you
will need to enable networking in a template , and you should resist this
as much as you can.
haaber has already pointed you to the documentation.

Templates use qubes-rpc to connect to a proxy instead of using
networking. This means that you can use standard package management like
dnf and apt without linking the template to the network.
I'm not a fedora person, but in Debian the advice is generally that you
should use packages, rather than compiling software yourself.
If the software you want isn't packaged, then generally you should
download the source , verify it by whatever means are available, and
then qvm-copy it to the template where you can compile and install.

The advice re cloning the template is sensible: some users don't like
multiple templates. If you do use them then I recommend using a caching
proxy instead of the standard Qubes proxy.

unman

unread,
Mar 22, 2019, 10:16:31 PM3/22/19
to qubes-users
Dont enable the network.

Use whatever tools you are comfortable with - the Debian templates dont
have a GUI software manager by default but you can install one as you
like.
You can clone the whonix template of course. If you add bookmarks, then
you are reducing the anonymity of the qubes, and subverting the whonix
paradigm. You are free to do this.
Your moniker suggest you may not want to.

Why add passwords? Again, they will link every qube based on the
template. More convenient, of course. (I'm assuming you are talking of
web bookmarks).

Jon deps

unread,
Mar 23, 2019, 2:31:22 PM3/23/19
to qubes...@googlegroups.com
pretty sure, there are different ways to skin the cat, though


the Templates are designed to obtain access indirectly, that is what the
"salt" stuff is they talk about ....it seems by default to be setup to
use sys-whonix-14 to install updates , somewhat magically

you can actually change the netvm without shutting down the templates

generally it's bad form to give the templates direct access, though
may you might want to once in while in order to troubleshoot something
, etc .....testing it the morning , you should be able to install non
updates without Direct access



for me Templates aren't worth backing up , I'm not worried about my
system melting down much ..... and anyway its going to be best to
fresh install , which is easy-ist in Qubes, which is one of the
beauties of the technology ....

hence, I clone for other reasons

one word of advice is keep a paper list of custom packages you
install so when it goes to Fedora-30 you install fresh and then add
back fresh packages , your files will persist,


my problem what few files I have end up spread out over 10 App Qubes


22...@tutamail.com

unread,
Mar 23, 2019, 7:22:49 PM3/23/19
to qubes-users
Steven Walkeer...unman knows his $hit. I stand corrected...he has helped me a lot...

haaber/unman...any chance you could break down your direction? What would be the commands to install lets say:

LibraOffice into a Debian template? I have used Protonmail bridge on whonix and debian and have only been able to get it to install by giving full access temporarily to the template...

Jon Deps I tend to follow your strategy, periodic Qube re-installs, rebuild new templates with new versions (e.g. fedora 30), delete cloned templates, no template back-ups, etc...

I have been using Qubes for about 1-2 years, been awesome but I started with Qubes (with no Linux). Been fumbling my way since...


22...@tutamail.com

unread,
Mar 23, 2019, 7:23:40 PM3/23/19
to qubes-users
PS...thanks for the correcting me!

unman

unread,
Mar 23, 2019, 10:27:16 PM3/23/19
to qubes...@googlegroups.com
It's only if you selected the "update over Whonix" option on install that you get
updating using sys-whonix qube. It's not the default.
Salt doesnt have anything to do with the "indirect" access - the access
is using qubes-rpc to the UpdateProxy - the proxy to use is set in
/etc/qubes-rpc/policy/qubes.UpdateProxy.
You can change the proxy to use by editing that file.

You *can* use salt to install software in to the templates. If you do
this then you need only maintain the salt formula and you can easily
recreate a template, without having to keep a paper list. That's an
ideal way of using salt to configure your systems.

Jon deps

unread,
Mar 23, 2019, 10:52:20 PM3/23/19
to qubes...@googlegroups.com
I think I'm stuck at mere mortal qube user level forever :)

https://groups.google.com/forum/#!topic/qubes-users/F_TB7Zzseeo


PS: for some reason I am able to $sudo dnf install foosoftware in
Fedora-29 though I have no "direct" netvm for the Template ,
though I recall in the past allowing netvm access for packages I
wanted to install, or maybe when I was trying to install a VPN to the
template, gave up and installed it in the AppVM I guess

There is a 3rd trick to discern whats custom installed IIRC , though
maybe it was more for Debian than Fedora if one searches the
usergroup fwiwwwwww

awokd

unread,
Mar 24, 2019, 3:21:59 PM3/24/19
to qubes...@googlegroups.com
22...@tutamail.com wrote on 3/23/19 11:22 PM:
> What would be the commands to install lets say:
> LibraOffice into a Debian template? I have used Protonmail bridge on whonix and debian and have only been able to get it to install by giving full access temporarily to the template...

Libreoffice is in Debian's repos so all you'd need to run in the
template is:
sudo apt install libreoffice

You might be thinking of software that's not available from Debian
repos. For those, it's usually best to see if there's something else
that will work and available. If not, it's better to download the
package in a qube already internet connected, then qvm-copy it to the
template. That way you can avoid touching the Internet from your template.

john s.

unread,
Apr 16, 2019, 9:17:11 PM4/16/19
to qubes...@googlegroups.com
If I do this :

echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial
main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main




then I do NOT need to add anything to
/etc/apt/sources.list.d/qubes-r4.list ??

nor

/etc/apt/sources.list ??


for Debian-9 stretch ?


ty


--
A895 0C7C A244 8E2E FD77 A3DB 180B 7D4D D158 F8B6

unman

unread,
Apr 16, 2019, 9:24:44 PM4/16/19
to qubes...@googlegroups.com
That's right.
'man sources.list' gives you chapter and verse.

shamaar...@gmail.com

unread,
Jun 1, 2019, 4:45:20 PM6/1/19
to qubes-users
Gear: Thinkpad 1TB SSD, 32GB, windows 10, 32GB USB flash

Process:
1. Download qubes setup on usb.
2. I chose my 1TB SSD for the installation destination
3. I have to reclaim space even though it’s a new computer fresh out of the box.
4. Setup user creation and configuration.
5. When I try to finish installation it freezes during the user creation part. and I have to reset my laptop.

Problem: I can’t use my original os (windows10) and when I tried to use my os on another usb it got fried when I plugged it into the laptop and now I can’t use it on any computer. I manage to pull up an error code and it has something to due with user creation. Any assistance would be greatly appreciated.

awokd

unread,
Jun 1, 2019, 5:54:55 PM6/1/19
to qubes...@googlegroups.com
shamaar...@gmail.com:
> Gear: Thinkpad 1TB SSD, 32GB, windows 10, 32GB USB flash
>
> Process:
> 1. Download qubes setup on usb.
> 2. I chose my 1TB SSD for the installation destination
> 3. I have to reclaim space even though it’s a new computer fresh out of the box.
> 4. Setup user creation and configuration.
> 5. When I try to finish installation it freezes during the user creation part. and I have to reset my laptop.

That an unusual place for the installer to freeze. What was the error code?

Reply all
Reply to author
Forward
0 new messages