Q4: vm-templates and updates

[haaber]

Hello,
I try t understand the update process in Q4: according to qvm-ls the
vm-templates have *no* SYSNET. How do they update (they do!) ?

I came to this question since a dist-upgrade to stretch in a
debian-8-clone is (a) slow (suggesting sys-whonix as connections) and
(b) looses 1 out of 4 package downloads with " 500 unable to connect" so
that I have to run apt-get over and over to collect all packages.

Some explanation? Best, Bernhard

[Connor Page]

did you update it in R4 before cloning and upgrading?

templates establish a connection to a proxy running in some netvm defined in dom0 over a vchan.

[Connor Page]

[haaber]

On 12/11/2017 06:31 AM, Connor Page wrote:
> did you update it in R4 before cloning and upgrading?
>
> templates establish a connection to a proxy running in some netvm defined in dom0 over a vchan.
>

yes, I did. I had to run apt-get dist-upgrade -d a dozen times (and
spread over half a day) to fetch all ~800 packages. Now that they are
there, I can install normally. I got the impression that changing
identify in anon-browser (and hence resetting tor connections) improved
the #{of error messages} per apt-get run. But this is no science, just
a feeling. Bernhard

[Tom Zander]

I still have not figured this out myself, but I can help you with one step of
the puzzle.

In the archlinux template I noticed a config file is re-created every time I
boot by someone. The config file for the package manager sets a (http) proxy to
localhost, port 8082

Removing that config (so it stops using the proxy) and enabling the networking
on the qube makes stuff work a lot nicer.

Also, do check if you updated your /etc/apt/sources to use a local mirror.

[Tom Zander]

On Monday, 11 December 2017 11:31:22 GMT Connor Page wrote:
> templates establish a connection to a proxy running in some netvm defined
> in dom0 over a vchan.

Would you be able to repeat that in English ? :-)

[Connor Page]

Please refer to Qubes issue #3118 which spells it out.

[Unman]

It's a basic part of securing the template that you don't make it network
connected - that's what the proxy mechanism is for. I don't think you
should advise against this without explaining the risks. Use of an
update proxy for templates has been a long standing part of Qubes - it
used to contain rules to restrict what the template could connect to,
but this was removed some time back - you can reinstate those controls
if you wish.

This is a case where "making stuff work a lot nicer" isn't necessarily a
good idea.

Also, if you're using Whonix it suggests you have some concern about
your anonymity, so setting a local mirror would not be recommended. (And
if you are updating over Whonix pointless.)

unman

[Tom Zander]

On Monday, 11 December 2017 17:48:45 GMT Unman wrote:
> This is a case where "making stuff work a lot nicer" isn't necessarily a
> good idea.

The "log nicer" is that it is quite a bit faster and error handling is much
better.

> I don't think you should advise against this without explaining the risks.

Can you perhaps explain what you think those risks are?

To me it boils down to; don't run any software except for "software upgrades"
in your template.

I'm wondering if this is a "protect the user from himself" or something real.

[Unman]

On Mon, Dec 11, 2017 at 06:03:20PM +0000, 'Tom Zander' via qubes-users wrote:
> On Monday, 11 December 2017 17:48:45 GMT Unman wrote:
> > This is a case where "making stuff work a lot nicer" isn't necessarily a
> > good idea.
>
> The "log nicer" is that it is quite a bit faster and error handling is much
> better.
>

If you are updating over Tor (as op seems to) the speed wont change.

> > I don't think you should advise against this without explaining the risks.
>
> Can you perhaps explain what you think those risks are?
>
> To me it boils down to; don't run any software except for "software upgrades"
> in your template.
>
> I'm wondering if this is a "protect the user from himself" or something real.
>

It's a "protect the user from himself" thing, and real. I dont
understand why you would put these in opposition. The TemplateVM is as
trusted as the most trusted qube based on it - it makes sense to keep it
as isolated as possible, and to restrict user activities.
Not having network access also helps mitigate risks from potentially
malicious software and install scripts.
I personally preferred it when the proxy filtered access, and run it like
this in my set-up. I also use a caching proxy instead of tinyproxy.

Of course, you dont need to use the proxy - you can install software
from wherever you like and allow unrestricted access from the Template, if
you choose. You dont need to validate software before installing. You
can do whatever you like, and Qubes will let you do it. That doesn't mean
it's a good idea.