replacing fedora template with fedora minimal

[river1...@gmail.com]

hi all,

I am currently running a Qubes 4 system with all my AppVMs based on Debian. (btw thanks to the Qubes devs for providing this "out of the box" when I know you prefer Fedora: very democratic :)

Updating the Fedora 26 template takes forever and a lot of it is software I will never use. I am tempted to try to replace this with the minimal template, and wondered if there is a step by step Qubes-for-Dummies description of how to do this?

If so, please could somebody post a link?

If not, what I have found so far is a page at

https://www.qubes-os.org/doc/templates/fedora-minimal/

which helpfully lists how to install the template and which packages I need to add to it before I try to use it with sys-net sys-firewall and sys-usb.

So my current plan is

1. install the minimal template
2. add the required packages
3. backup all qubes in case of finger trouble
4. from Qube Settings in each the sys- domains change the template
5. reboot

Is there anything important I have missed?

And finally, after I have got everything running off Fedora Minimal or Debian, would I use qubes-remove or dnf to remove the redundant Fedora-26 template?

Thanks for any advice - especially if I have missed something...

[Ivan Mitev]

On 04/18/2018 01:46 PM, river1...@gmail.com wrote:
> hi all,
>
> I am currently running a Qubes 4 system with all my AppVMs based on Debian. (btw thanks to the Qubes devs for providing this "out of the box" when I know you prefer Fedora: very democratic :)
>
> Updating the Fedora 26 template takes forever and a lot of it is software I will never use. I am tempted to try to replace this with the minimal template, and wondered if there is a step by step Qubes-for-Dummies description of how to do this?
>
> If so, please could somebody post a link?
>
> If not, what I have found so far is a page at
>
> https://www.qubes-os.org/doc/templates/fedora-minimal/

that's the right doc page.

>
> which helpfully lists how to install the template and which packages I need to add to it before I try to use it with sys-net sys-firewall and sys-usb.
>
> So my current plan is
>
> 1. install the minimal template

+ once installed, I'd advise to leave the template as-is and customize a
clone:

qvm-clone fedora-26-minimal fedora-26-mini

> 2. add the required packages

for info those were the rpms I installed in my minimal templates (they
include those listed in the doc + a few other ones I needed)

qubes-core-agent-passwordless-root
qubes-core-agent-networking
qubes-core-agent-network-manager
qubes-core-agent-dom0-updates
qubes-usb-proxy
network-manager-applet
polkit
less
pciutils
psmisc
NetworkManager-wifi
dejavu-sans-fonts
dejavu-sans-mono-fonts
tcpdump
telnet
wireless-tools
iwl7260-firmware
keepassxc pwgen
sharutils
qubes-gpg-split
qubes-core-agent-nautilus
bzip2


`dnf info packagename` will show you what package does what if you're
wondering what a rpm is for.

as a side note, my sys-usb VM is based on a "heavy" template because I
often plug stuff like smartphones, soundcards, ... and Qubes's usb
passthrough doesn't work too well with those.

> 3. backup all qubes in case of finger trouble

that shouldn't be needed because the only thing you do is change the
qube VM's template. If something goes wrong, just revert to the original
fedora-26 template

> 4. from Qube Settings in each the sys- domains change the template

or for a quicker alternative, in a dom0 terminal:

qvm-prefs vmname template fedora-26-mini

> 5. reboot

either that, or shutdown all your sys-* VMs and restart them in the
right order (sys-net then sys-firewall). Qubes 4.0 should automatically
reconnect the other qube VMs to sys-firewall.

> Is there anything important I have missed?

I don't think so !

>
> And finally, after I have got everything running off Fedora Minimal or Debian, would I use qubes-remove or dnf to remove the redundant Fedora-26 template?

dnf, because using `qvm-remove` would remove rpm installed files which
is usually not a good thing (I'm not sure what will happen when/if a new
template rpm is pushed in the repos - maybe the template's file will get
reinstalled).

if you already removed a rpm-installed template with `qvm-remove`, IIRC
dnf (or `rpm -e`) will complain because pre/post scripts fail; in that
case you can remove the rpm with `rpm --noscripts` or something like that.

[trueriver]

hi again Ivan

Thanks for the advice.

Same request as before: pls could you delete your side of this conversation (or re-post) as it picked up my email address.

My mistake - this is why I need a machine to look after security for me :(

River~~

[Chris Laprise]

On 04/18/2018 06:46 AM, river1...@gmail.com wrote:
> hi all,
>
> I am currently running a Qubes 4 system with all my AppVMs based on Debian. (btw thanks to the Qubes devs for providing this "out of the box" when I know you prefer Fedora: very democratic :)

Fedora was chosen a long time ago because at the time it was more
convenient.

Since then, the developers have expressed a need to move away from it
toward Debian or similarly stable & secure distro. There is even an
issue logged for it.

With Debian already being rather minimal I'd suggest using that for most
VMs. I myself use Fedora only for sys-firewall (to handle dom0 updates),
to test software compatibility, and occasionally to build a template.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[trueriver]

hi Chris

> ...

> With Debian already being rather minimal I'd suggest using that for most
> VMs. I myself use Fedora only for sys-firewall (to handle dom0 updates),
> to test software compatibility, and occasionally to build a template.

I tried changing sys-net to use debian-9 as its template -- that seemed to prevent me using the terminal in that template so I quickly put it back. I do not have time at present to re-check exactly what I did -- hence my current strategy to use f-26 for all the sys-* machines.

I figure if I am using it for anything then I might as well use it for all the sys-* domains. But if I understand you right, you think my sys-net should have worked with the Debian-9 template? If so I might find time to re-visit that

[trueriver]

the doc page at

https://www.qubes-os.org/doc/templates/fedora-minimal/

says that in Q R4.0 sudo is not installed in the minimal fedora template, and tells you how to get into a root shell from dom0.

That is not quite true - sudo is installed (and therefore dnf refuses to re-install it). but it needs to be configured so you will need to use the method in the doc page at least at first.

In the fedora-26 template (NOT minimal) find the file /etc/sudoers.d/qubes and copy it across to the same location in the minimal template. Stop and start the minimal template.

Go into the terminal as user, and sudo -i now puts you into root without a password.

More detail

I found the system would not immediately let me copy the file across, so I copied it to /home/user on the template, chown user:user; chmod 777 then I could move it using the GUI.

Then in the minimal template, move the file from /user/QubesIncoming/fedora-26 to /etc/sudoers.d then a final chown root:root ; chmod 440 to restore the ownership & mode that sudo expects.

I do not claim this to be the most elegant way to move a

[Chris Laprise]

I haven't had any issues with sys-net on Debian 9. And I can't think of
any particular reason why it couldn't be used. The only thing I had to
do to it was install my wifi drivers with apt-get.

In your case, I'd make sure debian-9 was up to date and maybe try it
with a freshly created networkVM (set HVM mode, assign devices, turn off
memory balancing, netvm=none, provides network).