handling of /home in TemplateVM vs TemplateBasedVM
72 views
Skip to first unread message
Patrick Schleizer
Jul 2, 2015, 3:49:23 PM7/2/15
to qubes-users
Hi,
as far I observed until now, anything in a TemplateVM's home folder is
copied to a TemplateBasedVM home folder at creation time of the
TemplateBasedVM.
From then, any modification in TemplateVM's home folder won't effect
existing TemplateBasedVM based on that TemplateVM. New TemplateBasedVM's
created based on that TemplateVM would get these changes, though.
If my understanding is correct and this is currently undocumented, I
would like to add this to documentation. What would be an appropriate place?
https://www.qubes-os.org/doc/GettingStarted/#appvms-domains-and-templatevms
?
Cheers,
Patrick
as far I observed until now, anything in a TemplateVM's home folder is
copied to a TemplateBasedVM home folder at creation time of the
TemplateBasedVM.
From then, any modification in TemplateVM's home folder won't effect
existing TemplateBasedVM based on that TemplateVM. New TemplateBasedVM's
created based on that TemplateVM would get these changes, though.
If my understanding is correct and this is currently undocumented, I
would like to add this to documentation. What would be an appropriate place?
https://www.qubes-os.org/doc/GettingStarted/#appvms-domains-and-templatevms
?
Cheers,
Patrick
Marek Marczykowski-Górecki
Jul 2, 2015, 6:05:54 PM7/2/15
to Patrick Schleizer, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, probably somewhere there.
But, we're actually thinking about removing that feature, so new
template-based VM would get clean home regardless when it was created.
This would mean that one can no longer preconfigure user settings in the
template to have them propagated to new VMs, but overall I think this
would be more consistent. If one want to have something configured the
same way on every VM (based on this particular template), it can be done
in /etc.
What do you think?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVlbW6AAoJENuP0xzK19csmycH/2oJKFaxgII3KjbpG8Pr4rIm
4QJMUfT/esJPfV0ewFbYf8SPzqWkiId0QDZDw26aQxinePGifQR05vZPG9LIyk9e
dYPSRDXhkcd45drXWnYaXwiO2hwvYEZYyZ1T5k35vqnc7/tm9K+SNBZrCA3da3s0
3muGcnDZq46EGaTLOAPtC8JQlxJg4RXFVKpRveUK2jdVUi05FXdtU/Euj3nev2v4
ZLvIUI5e/uk9/ffSHGK6fqignS7zN34y9Gq1JV6QaLBsuRLBcB9jXEcI8qXjKMdU
LfWGIrcg3UFPWkPP/a2oBNTqxV9vJQ+bkwFHF8vM7BLLf+8s5S0xPNz45SiWmUw=
=7413
-----END PGP SIGNATURE-----
Hash: SHA1
But, we're actually thinking about removing that feature, so new
template-based VM would get clean home regardless when it was created.
This would mean that one can no longer preconfigure user settings in the
template to have them propagated to new VMs, but overall I think this
would be more consistent. If one want to have something configured the
same way on every VM (based on this particular template), it can be done
in /etc.
What do you think?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVlbW6AAoJENuP0xzK19csmycH/2oJKFaxgII3KjbpG8Pr4rIm
4QJMUfT/esJPfV0ewFbYf8SPzqWkiId0QDZDw26aQxinePGifQR05vZPG9LIyk9e
dYPSRDXhkcd45drXWnYaXwiO2hwvYEZYyZ1T5k35vqnc7/tm9K+SNBZrCA3da3s0
3muGcnDZq46EGaTLOAPtC8JQlxJg4RXFVKpRveUK2jdVUi05FXdtU/Euj3nev2v4
ZLvIUI5e/uk9/ffSHGK6fqignS7zN34y9Gq1JV6QaLBsuRLBcB9jXEcI8qXjKMdU
LfWGIrcg3UFPWkPP/a2oBNTqxV9vJQ+bkwFHF8vM7BLLf+8s5S0xPNz45SiWmUw=
=7413
-----END PGP SIGNATURE-----
bow...@gmail.com
Jul 2, 2015, 6:19:15 PM7/2/15
to Marek Marczykowski-Górecki, Patrick Schleizer, qubes-users
> On 2 Jul 2015, at 23:05, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> On Thu, Jul 02, 2015 at 07:49:17PM +0000, Patrick Schleizer wrote:
>> Hi,
>>
>> as far I observed until now, anything in a TemplateVM's home folder is
>> copied to a TemplateBasedVM home folder at creation time of the
>> TemplateBasedVM.
>>
>> From then, any modification in TemplateVM's home folder won't effect
>> existing TemplateBasedVM based on that TemplateVM. New TemplateBasedVM's
>> created based on that TemplateVM would get these changes, though.
>>
>> If my understanding is correct and this is currently undocumented, I
>> would like to add this to documentation. What would be an appropriate place?
>>
>> https://www.qubes-os.org/doc/GettingStarted/#appvms-domains-and-templatevms
>> ?
>
> Yes, probably somewhere there.
>
> But, we're actually thinking about removing that feature, so new
> template-based VM would get clean home regardless when it was created.
> This would mean that one can no longer preconfigure user settings in the
> template to have them propagated to new VMs, but overall I think this
> would be more consistent. If one want to have something configured the
> same way on every VM (based on this particular template), it can be done
> in /etc.
>
> What do you think?
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVlbW6AAoJENuP0xzK19csmycH/2oJKFaxgII3KjbpG8Pr4rIm
> 4QJMUfT/esJPfV0ewFbYf8SPzqWkiId0QDZDw26aQxinePGifQR05vZPG9LIyk9e
> dYPSRDXhkcd45drXWnYaXwiO2hwvYEZYyZ1T5k35vqnc7/tm9K+SNBZrCA3da3s0
> 3muGcnDZq46EGaTLOAPtC8JQlxJg4RXFVKpRveUK2jdVUi05FXdtU/Euj3nev2v4
> ZLvIUI5e/uk9/ffSHGK6fqignS7zN34y9Gq1JV6QaLBsuRLBcB9jXEcI8qXjKMdU
> LfWGIrcg3UFPWkPP/a2oBNTqxV9vJQ+bkwFHF8vM7BLLf+8s5S0xPNz45SiWmUw=
> =7413
> -----END PGP SIGNATURE-----
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20150702220546.GP1498%40mail-itl.
> For more options, visit https://groups.google.com/d/optout.
cprise
Jul 3, 2015, 12:45:17 AM7/3/15
to Marek Marczykowski-Górecki, Patrick Schleizer, qubes-users
(templates are carefully configured with certain presets in the CLI, UI
options, browser, etc). I create appvms fairly regularly, sometimes with
the intention of keeping them only for a few hours or days. Having to
manually reconfigure them each time would be a significant burden.
If it is to be changed at all, it would be better to have this as an
option in the VM creation dialogue window. Even then, I would default it
to the current behavior.
A note on the nature of user presets in templates: These currently are
necessary to improve general security of the VMs. Think of the thumbnail
preview setting in Nautilus, or any number of options/extensions in
Firefox, TBird, etc.
So... Emphatic 'No'.
Patrick Schleizer
Jul 3, 2015, 3:34:09 AM7/3/15
to cprise, Marek Marczykowski-Górecki, qubes-users
cprise:
I agree with cprise on this.
The current way it's handled is also crucial for Whonix because we must
write some stuff into home.*
Cheers,
Patrick
* Surely it would be great if we would not need to, but this would
require significant help by upstreams, and that's not available.
The current way it's handled is also crucial for Whonix because we must
write some stuff into home.*
Cheers,
Patrick
* Surely it would be great if we would not need to, but this would
require significant help by upstreams, and that's not available.
conp...@gmail.com
Jul 3, 2015, 5:04:51 AM7/3/15
to qubes...@googlegroups.com
I agree with cprise. Some security and accessibility settings have to be configured in user's home. I recon it could be problematic to implement a switch at new vm creation because I can't see how to keep two versions of home folder in sync.
Patrick Schleizer
Oct 15, 2015, 3:56:41 PM10/15/15
to qubes...@googlegroups.com
conp...@gmail.com:
https://github.com/QubesOS/qubes-issues/issues/1335
Cheers,
Patrick
> I agree with cprise. Some security and accessibility settings have to be configured in user's home. I recon it could be problematic to implement a switch at new vm creation because I can't see how to keep two versions of home folder in sync.
>
How this will be handled in future is currently being discussed on github.
>
https://github.com/QubesOS/qubes-issues/issues/1335
Cheers,
Patrick
Reply all
Reply to author
Forward
0 new messages