Can I run a "full" OS within qubes?

[kht-lists]

After watching Matthew Wilson's excellent video and reviewing various FAQs and documents on the qubes-os web site I find myself with a basic philosophical question.  Currently I run CentOS 7 on a workstation and have installed the VMWare Workstation/Player environment.  I have a number of Virtual Machines created (CentOS, Ubuntu, Linux Mint etc.) which I run for various purposes.  They are SOMEWHAT isolated from each other but not as well isolated as they would be in qubes-os.  The video and the screenshots on the qubes-os web site seem to show only single applications running in separate security domains. If it is desired to run two applications in the same security domain it is necessary to launch them separately from the dom0 menu.  I think this invokes two copies of the VM OS template, one for each application - although I might be wrong.  My question is...

Can qubes-os invoke a complete OS with Desktop, menu etc. within a security domain?  This would be similar to what I do in VMWare. I tend to run a given VM on one workspace and the second on a different workspace so that I can change between them and make good use of the monitor Real Estate. Does qubes-os have the concept of workspaces?

Thanks in advance,

Ken Taylor

Sent with ProtonMail Secure Email.

[Chris Laprise]

On 6/9/19 2:01 PM, 'kht-lists' via qubes-users wrote:
> After watching Matthew Wilson's excellent video and reviewing various
> FAQs and documents on the qubes-os web site I find myself with a basic
> philosophical question.  Currently I run CentOS 7 on a workstation and
> have installed the VMWare Workstation/Player environment.  I have a
> number of Virtual Machines created (CentOS, Ubuntu, Linux Mint etc.)
> which I run for various purposes.  They are SOMEWHAT isolated from each
> other but not as well isolated as they would be in qubes-os.  The video
> and the screenshots on the qubes-os web site seem to show only single
> applications running in separate security domains. If it is desired to
> run two applications in the same security domain it is necessary to
> launch them separately from the dom0 menu.  I think this invokes two
> copies of the VM OS template, one for each application

That's wrong. Qubes uses the same VM instance for multiple applications
(when they are invoked for that VM).

> - although I
> might be wrong.  My question is...
>
> Can qubes-os invoke a complete OS with Desktop, menu etc. within a
> security domain?  This would be similar to what I do in VMWare. I tend
> to run a given VM on one workspace and the second on a different
> workspace so that I can change between them and make good use of the
> monitor Real Estate. Does qubes-os have the concept of workspaces?

If you run KDE in dom0, you can use its window rules to bind particular
VMs to particular desktops (what you call workspaces). This is easy
since each window title begins with its VM name.

You can also resort to using HVMs instead of the usual template-based
PVH VMs. This is like installing a VM in VMWare, and you lose some of
the benefits of Qubes integration (IIRC its also theoretically less
secure). But it will give you a full, separate desktop for each HVM.
Note that Qubes currently does not have advanced BIOS support for HVMs,
so you may have trouble installing certain operating systems (although
there are many that work fine, such as Windows and Ubuntu).

There may be a third option in the form of using a regular
template-based appVM with full-screen mode enabled, in addition to
running its full desktop environment. The full-screen part is simple,
but I have no experience attempting the desktop environment and I don't
recall other users configuring their appVMs in this way. Perhaps someone
else can chime in about this possibility.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Chris Laprise]

On this third option, here is a recommendation I found from the Qubes
project leader – it involves using vnc:

https://groups.google.com/forum/#!topic/qubes-users/Z8XXbz5wofE

[kht-lists]

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, June 9, 2019 2:52 PM, Chris Laprise <tas...@posteo.net> wrote:

> On 6/9/19 2:43 PM, Chris Laprise wrote:
>
> > On 6/9/19 2:01 PM, 'kht-lists' via qubes-users wrote:
> >
> > > After watching Matthew Wilson's excellent video and reviewing various
> > > FAQs and documents on the qubes-os web site I find myself with a basic
> > > philosophical question.  Currently I run CentOS 7 on a workstation and
> > > have installed the VMWare Workstation/Player environment.  I have a
> > > number of Virtual Machines created (CentOS, Ubuntu, Linux Mint etc.)
> > > which I run for various purposes.  They are SOMEWHAT isolated from
> > > each other but not as well isolated as they would be in qubes-os.  The
> > > video and the screenshots on the qubes-os web site seem to show only
> > > single applications running in separate security domains. If it is
> > > desired to run two applications in the same security domain it is
> > > necessary to launch them separately from the dom0 menu.  I think this
> > > invokes two copies of the VM OS template, one for each application
> >
> > That's wrong. Qubes uses the same VM instance for multiple applications
> > (when they are invoked for that VM).

OK thanks. I was not clear from the video. That makes sense

I like the sounds of this option. My "production" workstation has two monitors with a VM running on the right monitor in portrait mode (always on visible workspace) which I use for general purpose web browsing on one workspace, my ISP orivided email on a second workspace with 2 workspaces to spare. The left monitor, landscape mode, points to the host OS and has 6 workspaces. One is dedicated to another VM which I use to access my Protonmail and Lavabit accounts (one per Firefox or Thunderbird instance in separate workspaces). The other 5 workspaces are used as needed for whatever I might be doing. This might include a remote desktop viewer to various other servers etc., other VMs and so on. I have not computed the number of possible permutations between the two monitors but it is probably larger than I want to know :-) I would be a challenge to replicate this functionality in qubes-os and I need to procure some new hardware as this workstation is the only machine I have with the necessary features to support qubes-os.

Thank you for your insightful reply. I guess I need to upgrade my main workstation (it is an i7-6700) to something more powerful and then devote it to qubes-os.

Ken

>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Chris Laprise,tas...@posteo.net

[awokd]

'kht-lists' via qubes-users:

> I like the sounds of this option. My "production" workstation has two monitors with a VM running on the right monitor in portrait mode (always on visible workspace) which I use for general purpose web browsing on one workspace, my ISP orivided email on a second workspace with 2 workspaces to spare. The left monitor, landscape mode, points to the host OS and has 6 workspaces. One is dedicated to another VM which I use to access my Protonmail and Lavabit accounts (one per Firefox or Thunderbird instance in separate workspaces). The other 5 workspaces are used as needed for whatever I might be doing. This might include a remote desktop viewer to various other servers etc., other VMs and so on. I have not computed the number of possible permutations between the two monitors but it is probably larger than I want to know :-) I would be a challenge to replicate this functionality in qubes-os and I need to procure some new hardware as this workstation is the only machine I have with the necessary features to support qubes-os.

Qubes' default is XFCE which has workspaces too. Each application is in
its own independent window even if they're running on different VMs
underneath. You can move them around to any workspace. It will make more
sense when you try it.

> Thank you for your insightful reply. I guess I need to upgrade my main workstation (it is an i7-6700) to something more powerful and then devote it to qubes-os.

If you have the necessary virtualization features, the next most
important things are lots of RAM (32 GB is comfortable, 16 GB isn't bad)
and a large enough SSD for the OS and your heavily used VMs. CPU and GPU
don't matter much for performance. Intel or AMD for video are more Qubes
compatible than nvidia.

[Chris Laprise]

FWIW, the first option is what I use and it works well. KDE will let you
organize windows by VM name using your choice of multiple desktops,
screens and activites. This is probably the most efficient option as
well, since you would be running only one desktop environment and VM
graphics will be via the integral Qubes vchan driver instead of a vnc
network setup.

--

Chris Laprise, tas...@posteo.net

[awokd]

awokd:

>
> Qubes' default is XFCE which has workspaces too. Each application is in
> its own independent window even if they're running on different VMs
> underneath. You can move them around to any workspace. It will make more
> sense when you try it.

Should add this is when using the default Debian or Fedora templates.

[kht-lists]

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, June 9, 2019 6:22 PM, 'awokd' via qubes-users <qubes...@googlegroups.com> wrote:

> 'kht-lists' via qubes-users:
>
> > I like the sounds of this option. My "production" workstation has two monitors with a VM running on the right monitor in portrait mode (always on visible workspace) which I use for general purpose web browsing on one workspace, my ISP orivided email on a second workspace with 2 workspaces to spare. The left monitor, landscape mode, points to the host OS and has 6 workspaces. One is dedicated to another VM which I use to access my Protonmail and Lavabit accounts (one per Firefox or Thunderbird instance in separate workspaces). The other 5 workspaces are used as needed for whatever I might be doing. This might include a remote desktop viewer to various other servers etc., other VMs and so on. I have not computed the number of possible permutations between the two monitors but it is probably larger than I want to know :-) I would be a challenge to replicate this functionality in qubes-os and I need to procure some new hardware as this workstation is the only machine I have with the necessary features to support qubes-os.
>
> Qubes' default is XFCE which has workspaces too. Each application is in
> its own independent window even if they're running on different VMs
> underneath. You can move them around to any workspace. It will make more
> sense when you try it.

Thanks, I do need to try it to really figure it out.

>
> > Thank you for your insightful reply. I guess I need to upgrade my main workstation (it is an i7-6700) to something more powerful and then devote it to qubes-os.
>
> If you have the necessary virtualization features, the next most
> important things are lots of RAM (32 GB is comfortable, 16 GB isn't bad)
> and a large enough SSD for the OS and your heavily used VMs. CPU and GPU
> don't matter much for performance. Intel or AMD for video are more Qubes
> compatible than nvidia.
>
>

My current workstation - Dell Precision 3620 with an i7-6700, 16 GB RAM, a 240 GB PCIe M.2 drive and a 250 GB Samsung 850 SATA drive would make a decent starter if I pull the nVidia K620 card and us the Intel on-board graphics. However, that would leave me without my main machine. Time for a new toy :-)

Ken
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/604be316-c933-947c-70e7-cc3d717beab9%40danwin1210.me.
> For more options, visit https://groups.google.com/d/optout.

[kht-lists]

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

I really need to try qubes-os to figure it out.

Ken
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Chris Laprise,tas...@posteo.net