Proper partition scheme, for manual partitioning

[cb4...@gmail.com]

I want to try out Qubes, by installing it on a drive that I have already setup with an encrypted LVM (and that has other Linux installs on it and a separate data partition using most of the space).

So I have a free 500 Mb /boot partition, outside the encrypted LVM. And then space that could be used for / and /home partitions in the LVM. A couple questions:

1) Will this setup work with Qubes?

2) If so, how much space should I allocate to /boot, /, and /home? Is that the proper scheme or do I also need other partitions?

3) I tried booting the installer and it was able to decrypt and mount my LVM, but it presented the existing volumes in a kind of odd, disorganized jumble. I also noted that if I selected a volume for Qubes to mount as / or /home is showed the option to encrypt as a shaded out, already checked, unmodifiable option. Obvioulsy I don't need to set up encryption on an already encrypted LVM. Is the Qubes installer going to properly set up Qubes to work with this existing encrypted LVM, so that when I boot it simply asks for the password for the existing encrypted partition? Or am I going to somehow mess up and potentially lose my data on this existing encrypted LVM?

Thanks for any help and thoughts about how to do this.

[Alex Dubois]

My set-up (default) has 2 partitions:
/dev/sda1  /boot (500MB)
/dev/sda2 luks (rest of 250GB)

in luks
/dev/mapper/qubes-dom0-swap (8GB)
/dev/mapper/qubes-dom0-root (rest of disk)
/dev/mapper/snapshot-fd02... (10GB)
/dev/mapper/snapshot-fd02... (10GB)

/home is in / is is 2.4MB is size (empty) as it is strongly discouraged to do any work in dom0 apart VM management.

There is an option is the Qubes installation to use unused space if I remember...

[cprise]

On 11/22/13 21:31, cb4...@gmail.com wrote:
> 3) I tried booting the installer and it was able to decrypt and mount my LVM, but it presented the existing volumes in a kind of odd, disorganized jumble. I also noted that if I selected a volume for Qubes to mount as / or /home is showed the option to encrypt as a shaded out, already checked, unmodifiable option. Obvioulsy I don't need to set up encryption on an already encrypted LVM. Is the Qubes installer going to properly set up Qubes to work with this existing encrypted LVM, so that when I boot it simply asks for the password for the existing encrypted partition? Or am I going to somehow mess up and potentially lose my data on this existing encrypted LVM?
>
> Thanks for any help and thoughts about how to do this.

My educated guess about the encryption (your situation sounds familiar)
is that the installer is keeping track of whether any of the LV's parent
volumes are encrypted (e.g. it knows the LV you want to use for /home is
already encrypted) so it signals that it knows this with the checkmark
and greys it out to keep you from encrypting more than one layer.

I think it should handle the install OK, but one should never assume...
backup your drive first!

Good luck :)

[Cb]

Thanks for the replies. I guess I'll make a backup and assume the encryption will get setup correctly.

For the partitioning, I don't want to have Qubes use all the remaining space on my drive. So I guess my question is: In the manual partitioning part of the install, what partitions should I create for Qubes and how big does each one need to be?

Thanks.

[Alex Dubois]

In that case, I would take what feels to me the easiest ride and set-up a partition of the size I would want to preserve and then follow Qubes install in remaining space... The decisions taken for you are already the right one in term of security, they are not the optimum one for space use, but all things being equal are not wasting your money/time...

You can also give it a go on an external USB drive (obviously with perf decrease).

Depends what you want to do.

[cprise]

Speaking of USB drives... It occurred to me that running other OSes on the internal drive could allow malware in one of them to attack your Qubes /boot filesystem. Eventually, it would be a good idea to re-install Qubes and move its boot partition to a USB stick. There is a Qubes utility called Anti Evil Maid that does this, among other things, but its written for Qubes v1 and hasn't been adapted for v2 yet.

[Cb]

On Saturday, November 23, 2013 4:51:36 AM UTC-8, Alex Dubois wrote:

In that case, I would take what feels to me the easiest ride and set-up a partition of the size I would want to preserve and then follow Qubes install in remaining space... The decisions taken for you are already the right one in term of security, they are not the optimum one for space use, but all things being equal are not wasting your money/time...

You can also give it a go on an external USB drive (obviously with perf decrease).

Depends what you want to do.

I don't really want to repartition my drive, I'd rather work with the existing encrypted LVM and my free /boot partition I have for this purpose. Obviously it's much easier for me to change the size of volumes in the LVM for whatever Qubes needs. Any suggestions about how to make that work? Using the free 500 Mb /boot partitioni outside the LVM and then whatever volumes are necessary with the LVM? The whole point of the LVM for me is that it just takes one password to decrypt the drive on bootup.

Thanks for any more ideas.

*

On Saturday, November 23, 2013 5:40:31 AM UTC-8, cprise wrote:

Speaking of USB drives... It occurred to me that running other OSes on the internal drive could allow malware in one of them to attack your Qubes /boot filesystem. Eventually, it would be a good idea to re-install Qubes and move its boot partition to a USB stick. There is a Qubes utility called Anti Evil Maid that does this, among other things, but its written for Qubes v1 and hasn't been adapted for v2 yet.

I understand having more than one OS on the same drive with Qubes opens it up to some potential risks. I'm not that worried about it right now. I just want to setup Qubes on the machine to try it out and not have to mess with USB sticks and so forth. Thanks.

[Zrubecz Laszlo]

On 24 November 2013 01:46, Cb <cb4...@gmail.com> wrote:

> I understand having more than one OS on the same drive with Qubes opens it
> up to some potential risks. I'm not that worried about it right now. I just
> want to setup Qubes on the machine to try it out and not have to mess with
> USB sticks and so forth. Thanks.

If you just wanna try it next to another OS I suggest keep the default:
/boot unencripted, and at least 200Mb
/ encripted, (or not) - the rest.

Keep in mind:
- the system is needs ~3Gb space +
- one default template is ~4GB + what you install inside
- your AppVM private data - size depends on you :)



My suggestion about partitioning - if you using qubes as a main OS:

/boot - 500Mb
/ - 5-10Gb
/var/lib/qubes - the rest of your disk... for you appvms


--
Zrubi

[Cb]

Thanks Zrubi.

So you're saying, for just trying out next to an existing OS, all I need is the unecrypted /boot partition and then a volume inside my LVM asigned to /? If so, what size would be good for /? Just 10 GB? (Why do the Qubes system requirements say that it needs 32 GB?)

Also, in the example where I'm using Qubes as my main OS, why do I need the entire disk for the AppVMs in /var/lib/qubes? Perhaps I'm not really understanding how Qubes works. Is all data that I want to work with in Qubes stored inside the individual AppVMs? So if say I have a lot of video files or photos I could end up with a very large AppVM?

Usually I have a separate partition, that takes up most of my disk (or in this case a separate LVM volume), where I store my data. I don't use /home except mainly for the user settings that are stored in it. Is this not going to work with Qubes, to store data in a separate partition or volume like that?

Thanks,
Cb

[Zrubi]

On Mon, Nov 25, 2013 at 9:21 AM, Cb <cb4...@gmail.com> wrote:
> So you're saying, for just trying out next to an existing OS, all I need is
> the unecrypted /boot partition and then a volume inside my LVM asigned to /?
> If so, what size would be good for /? Just 10 GB? (Why do the Qubes system
> requirements say that it needs 32 GB?)

Well 10G is surely too small... 32G would be fine for testing.

Actually I'm using Qubes as my main OS from R1B2 and I'm never hit
64Gb disk usage.
But it really depends ony you.

> Also, in the example where I'm using Qubes as my main OS, why do I need the
> entire disk for the AppVMs in /var/lib/qubes? Perhaps I'm not really
> understanding how Qubes works. Is all data that I want to work with in Qubes
> stored inside the individual AppVMs? So if say I have a lot of video files
> or photos I could end up with a very large AppVM?

Yes. All your data will be inside your AppVM(s).
But the large here means only for your private storage file of the AppVM.

But you should really start reading the docs here (if you didn't read
it already:)
http://qubes-os.org/trac/wiki/UserDoc

> Is this not going to work with Qubes, to store data in a separate partition or volume like
> that?

Yo can also use your disk like you did it before... but it would be
uncomfortable and maybe not secure.
with every standard AppVM you have one private storage space ~2 -
1024GB size of your choice.
This will be (mainly) your /home folder.

beside this you can attach any other block device you want:
http://qubes-os.org/trac/wiki/StickMounting

.

--
Zrubi

[Cb]

Thanks Zrubi. I think I'm starting to get a better picture in my head of the partitioning and how it relates to the way Qubes works. I had looked at the user docs, but there wasn't much info (that I could find) about partitioning for installation. But I'll take a closer look and see if I have more questions. Thanks again.

[Alex Dubois]

On Tuesday, 26 November 2013 01:22:42 UTC, Cb wrote:

Thanks Zrubi. I think I'm starting to get a better picture in my head of the partitioning and how it relates to the way Qubes works. I had looked at the user docs, but there wasn't much info (that I could find) about partitioning for installation. But I'll take a closer look and see if I have more questions. Thanks again.

If you could drop a line here on what your findings are, happy to help and document it...

[Cb]

Zrubi, one other question for the moment. What is the reason for having a separate partition for /var/libs/qubes? Why not just let that reside within the / partition? Thanks.

Alex, which findings are you asking about? Also, in your initial response above when you listed your default setup, are you saying that's what the Qubes installer created when allowed to just use freespace and do it's default install mode? I'm curious because you show an 8 GB dom0 swap. But I thought Xen in Qubes doesn't use a swap space. See: https://groups.google.com/d/msg/qubes-devel/KDNMoNSgYVo/CTYvm8RzAfcJ. Just trying to make sense of the different things I'm reading.

[Zrubi]

On Tue, Nov 26, 2013 at 11:02 AM, Cb <cb4...@gmail.com> wrote:
> Zrubi, one other question for the moment. What is the reason for having a
> separate partition for /var/libs/qubes? Why not just let that reside within
> the / partition?

Well thats why I said the default is fine for most of the users
because actually it is fine :)

But the reason I suggest to separate /var/libs/qubes because once you
fill upp the / --> many problems are raising...
Your disk space consuming things are your VMs files... and actually
ALL of your VMs are living inside that folder.

If it is separated, then if you fill it up, your dom0 still can
boot(!) and you are able to free some space easily :)


--
Zrubi

[Alex Dubois]

On Tuesday, 26 November 2013 10:02:54 UTC, Cb wrote:

Zrubi, one other question for the moment. What is the reason for having a separate partition for /var/libs/qubes? Why not just let that reside within the / partition? Thanks.

Alex, which findings are you asking about? Also, in your initial response above when you listed your default setup, are you saying that's what the Qubes installer created when allowed to just use freespace and do it's default install mode? I'm curious because you show an 8 GB dom0 swap. But I thought Xen in Qubes doesn't use a swap space. See: https://groups.google.com/d/msg/qubes-devel/KDNMoNSgYVo/CTYvm8RzAfcJ. Just trying to make sense of the different things I'm reading.

 

You said you are starting to have a good understanding of the way partitioning should be done manually in order to take informed decision on partition sizes and to install Qubes on it. So I thought that if that was the case, it would add value for you to post back on this thread and I can help the Qubes project in documenting your findings.

 

Scanning quickly the thread you are mentioning, it seems to indicate no swap space for the appVM not for Qubes's Dom0 (which has swap, I double checked in my /etc/fstab).

What I showed is what a default Qubes install sets up with 8GB of Dom0 swap...

 

You are nearly there. Good luck.

 

[Cb]

@Zrubi Thanks. That makes sense.

@Alex Dubois I guess I meant I'm starting to understand Qubes enough that I think I can go ahead with my plan to use manual partitioning, instead of the default free space install. I don't know that I understand enough, sadly, that I can add a lot of value to the wiki.

I am still kind of confused about some things though.

1) As far as the swap goes, the post I linked to says: "No, each AppVM has a separate /tmp and no swap. Dom0 /tmp and swap are configurable, however the VMs will never be swapped out as Xen 3.4 doesn't support that (that's why 8GB RAM is strongly recommended; 4 GB is bare minimum for a few VMs)."

I read that as saying Dom0 can have a swap partition, but it will never use it. Hence you need a lot of RAM. In addition, Zrubi did not suggest a swap partition. (I imagine it could introduce security issues, unless it's properly encrypted.) So if it really is never used by Dom0, it seems like your system is eating up 8 GB for nothing on the swap partition and I wonder why the default install mode created it.

The quote above also does say that AppVMs don't have a swap, as you note. But curiously in the wiki it seems to say that each AppVM does have its own internal swap: http://qubes-os.org/trac/wiki/TemplateImplementation.

2) What are those snapshot partitions in your setup? Also something Zrubi did not mention.

Anyway, thanks for you input so far and for the encouragement.

[Axon]

On 11/26/13 22:21, Cb wrote:
> @Zrubi Thanks. That makes sense.
>
> @Alex Dubois I guess I meant I'm starting to understand Qubes enough that I
> think I can go ahead with my plan to use manual partitioning, instead of
> the default free space install. I don't know that I understand enough,
> sadly, that I can add a lot of value to the wiki.
>
> I am still kind of confused about some things though.
>
> 1) As far as the swap goes, the post I linked to says: "No, each AppVM has
> a separate /tmp and no swap. Dom0 /tmp and swap are configurable, however
> the VMs will never be swapped out as Xen 3.4 doesn't support that (that's
> why 8GB RAM is strongly recommended; 4 GB is bare minimum for a few VMs)."
>
> I read that as saying Dom0 can have a swap partition, but it will never use
> it. Hence you need a lot of RAM. In addition, Zrubi did not suggest a swap
> partition. (I imagine it could introduce security issues, unless it's
> properly encrypted.) So if it really is never used by Dom0, it seems like
> your system is eating up 8 GB for nothing on the swap partition and I
> wonder why the default install mode created it.
>

There are some informative old threads on this issue, which I recommend
searching for. (IIRC, someone asked exactly the same question.) However,
the conclusion was basically that you do *not* want to run out of dom0
swap, as "very bad things" will happen if you do. That's why the default
gives you plenty of swap space. You can *probably* get away with having
only 1-2GB if you always use xfce (IIRC, it was said that KDE could
possibly need to use a fair amount of swap space in some circumstances),
but if you go that route, don't say you weren't warned...

[Zrubi]

On Wed, Nov 27, 2013 at 7:21 AM, Cb <cb4...@gmail.com> wrote:

> I read that as saying Dom0 can have a swap partition, but it will never use
> it. Hence you need a lot of RAM. In addition, Zrubi did not suggest a swap
> partition.

Well, it was my mistake not to mention the swap partition. dom0
definietly need some swap space - even if it's not really used.
actually I hava 4G swap (and 8G RAM)

> 2) What are those snapshot partitions in your setup? Also something Zrubi
> did not mention.

Snapshot partition is really not needed. The idea was come up when we
talked about the possible backup solutions.
One was using the LVM snapshot feature. But I never tried jet.


--
Zrubi

[Alex Dubois]

On Wednesday, 27 November 2013 06:21:40 UTC, Cb wrote:

@Zrubi Thanks. That makes sense.

@Alex Dubois I guess I meant I'm starting to understand Qubes enough that I think I can go ahead with my plan to use manual partitioning, instead of the default free space install. I don't know that I understand enough, sadly, that I can add a lot of value to the wiki.

Whatever you configure and get a working config out of manual partitioning has value.
 

[Cb]

@Axon Thanks for the info and suggestion. I did initially look for threads on partitioning, but wasn't able to find much. But I'll take another look.

@Zrubi Thanks for the clarification on the swap and snapshot partitions.

@Alex Dubois Okay, when (if) I get it working, I'll let you know what I did.