Update Autonomous Qubes-install (kickstart).md

- Adding a to-do list at top of doc, to show what is planned and known to be missing before it can be released to the official Qubes doc PR.
- Splitting the tips section in tips related to Kickstart, and tips related to general boot issues.
- Adding new tips to both kickstart and boot issue tips.
- Removing text about Kickstart files in culture, this is outside the purpose and scope, and helps reducing the amount to read.
- Minor fixes such as typo's found 'here and there'.

Considerations, whether to construct a separate doc for the boot issue sections, since people needing the kickstart doc may not have these extra issues, and it isn't strictly speaking related to kickstart issues (although they do often come together). An idea being considered might be to make a separate doc for booting issues, and then link to it from here instead.
This commit is contained in:
Yuraeitha 2018-06-07 13:02:59 +00:00 committed by GitHub
parent f89bf6c0a2
commit 18feb71cc6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,13 +1,23 @@
## Note ## ## Note - Doc not finished yet! ##
This doc is reaching toward completion, however, has some errors that need correction first, as well as missing additions. This doc is reaching toward completion, however, has some errors that need correction first, as well as missing additions.
To-do:
- Fix kickstart template, it has a couple of issues, like creating user account creation that does conflict with first-boot, Qubes's initial-setup.
- Include template variants (for example to illustrate how they are modified, but this is a low-priority to-do).
- Sorting and including/excluding the proper packages that are recommended or optional (recommended packages are high priority, optional packages are low priority).
- Completting the sections that mention "may be included in the future" found a few places in the doc.
- Fixing bad tips, advices or KS-template layouts (proof-reading, requires extra study/read-up (must be done before official Qubes doc PR summit), or help from someone with insight).
- Fixing poor explanations (proof-reading).
- Fixing typo's and spelling errors, grammer etc, (proof-reading).
- Any feedback or contributions, like helping toward finishing the to-do, is very welcome and appreciated.
## Introduction ## ## Introduction ##
The purpose of kickstart files is to install an operation system from start to end with less, or no human interaction at all. A kickstart file is therefore essentially a pre-configuration of any settings you may normally need to adjust during a normal Linux install. Here you may find instructions on how to get started with Qubes OS and kickstart files. The purpose of kickstart files is to install an operation system from start to end with less, or no human interaction at all. A kickstart file is therefore essentially a pre-configuration of any settings you may normally need to adjust during a normal Linux install. Here you may find instructions on how to get started with Qubes OS and kickstart files.
In order to avoid confustion, please note that the use of the wording kickstarter template does not refer to Qubes templates, but rather a simple configuration file, which when loaded will semi or fully Autonomously install Qubes (or fedora/redhat/cent). In order to avoid confusion, please note that the use of the wording kickstarter template does not refer to Qubes templates, but rather a simple configuration file, which when loaded will semi or fully Autonomously install Qubes (or fedora/redhat/cent).
<br /> <br />
@ -30,7 +40,7 @@ _The list is not exhausted, there may be other uses not listed here._
- Scripts can also be used to automate other things, like restoring backups (maybe include a popup confirm message). - Scripts can also be used to automate other things, like restoring backups (maybe include a popup confirm message).
- Kickstart file and all scripts can be put on the installer medium, other on a separate USB/medium. It makes it easier for the user if kept on a single device. - Kickstart file and all scripts can be put on the installer medium, other on a separate USB/medium. It makes it easier for the user if kept on a single device.
_Once you constructed your kickstart file, using them is faster than via normal install. It may take some time in the beginning to get proper habits and adjusting your personal settings, but consider it a time investment to save time and hassles in the future. Note new Qubes version release distributions may be slightly different, sometimes this may or may not require changes to your kickstart file. Be sure to keep your kickstart file secured, or check it against any changes done by 3rd party sources. However kickstart files are simple enough to quickly review before use, be sure you check everything, packages as well._ _Once you constructed your kickstart file, using them is be faster than normal Qubes install. It may take some time in the beginning to get proper habits and adjusting your personal settings, but consider it a time investment to save time and hassles in the future. Note new Qubes version release distributions may be slightly different, sometimes this may or may not require changes to your kickstart file. Be sure to keep your kickstart file secured, or check it against any changes done by 3rd party sources. However kickstart files are simple enough to quickly review before use, be sure you check everything, packages as well._
<br /> <br />
@ -152,19 +162,53 @@ _List is not finished, will be updated._
- When making semi kickstart files, be mindful of which settings that need to be disabled in order for the kickstart file to properly halt. - When making semi kickstart files, be mindful of which settings that need to be disabled in order for the kickstart file to properly halt.
<br /> <br />
## Tips and tricks that may make a difference ## ## Qubes kickstart usage: Tips and tricks that may make a difference ##
- If you're trying to get Qubes installed, for example on a machine without graphics, and you need sys-net and sys-firewall to update and repair dom0, then you may want to insert a network cable that does not require a password. - **Graphics issues**
- If you're trying to get Qubes installed, for example on a machine without graphics, and you need sys-net and sys-firewall to update and repair dom0, then you may want to insert a network cable that does not require a password.
- If you do not have an RJ45 network port, then you can permanently or temporarily move the USB controller into your sys-net. Tell the Qubes installers initial setup at first boot, to make sys-net include sys-usb, so that sys-net holds your USB controllers. This way you can find your, or buy, a cheap USB to RJ45 network converter. - If you do not have an RJ45 network port, then you can permanently or temporarily move the USB controller into your sys-net. Tell the Qubes installers initial setup at first boot, to make sys-net include sys-usb, so that sys-net holds your USB controllers. This way you can find your, or buy, a cheap USB to RJ45 network converter.
- Instructions on how to enable password based networking without graphic drivers are possible, like wireless networking. But in its current form is not included in this doc. It may however be included in the future. - Instructions on how to enable password based networking without graphic drivers are possible, like wireless networking. But in its current form is not included in this doc. It may however be included in the future.
- Instructions on how to securely download updates on a different computer and install via USB or other mediums is possible. May be included in the future. - **Updating Qubes offline (without network)**
- Five different easy ways to get terminal on an empty system, to identity drive order/numbers. - Instructions on how to securely download updates on a different computer and install via USB or other mediums is possible. May be included in the future.
- **Reaching dom0 Terminal**
- Five different easy ways to get terminal on an empty system, to identity drive order/numbers.
- Let the Qubes installer boot normally. When or if it fails, switch to tty2 or tty3 to get terminal. If this does not work (it may sometimes not be reachable on a failed boot), then proceed to next point below. - Let the Qubes installer boot normally. When or if it fails, switch to tty2 or tty3 to get terminal. If this does not work (it may sometimes not be reachable on a failed boot), then proceed to next point below.
- Put the number `3` after `quiet` in the boot Linux boot parameters. This boots the system into a non-graphical dom0 terminal (similar effect to using tty#). - Put the number `3` after `quiet` in the boot Linux boot parameters. This boots the system into a non-graphical dom0 terminal (similar effect to using tty#).
- Boot from the Qubes installer, pick troubleshoot, and then the option to rescue an existing Qubes system (even if there is no Qubes system installed). When requested to pick between 4-5 options, kick the skip to shell (if you only need to do `lsblk` for disk information, then this is sufficient), or continue into existing Qubes dom0 if you need it for other extra reasons. - Boot from the Qubes installer, pick troubleshoot, and then the option to rescue an existing Qubes system (even if there is no Qubes system installed). When requested to pick between 4-5 options, kick the skip to shell (if you only need to do `lsblk` for disk information, then this is sufficient), or continue into existing Qubes dom0 if you need it for other extra reasons.
- Use a Live boot from a different distro, however unlike the above, this does not load most or all Qubes sub-systems, and also risks exposing dom0. This is the least desired method. - Use a Live boot from a different distro, however unlike the above, this does not load most or all Qubes sub-systems, and also risks exposing dom0. This is the least desired method.
- Preferably use another Linux distro you trust. For example Fedora live, the distro which dom0 is based on. - Preferably use another Linux distro you trust. For example Fedora live, the distro which dom0 is based on.
- The Qubes Live (Alpha) medium may also work, however this is currently untested. Using any of the first 3 options above should be sufficient. - The Qubes Live (Alpha) medium may also work, however this is currently untested. Using any of the first 3 options above should be sufficient.
## Qubes booting: Tips and tricks that may make a difference ##
- **Reaching Qubes 4.0 boot installer configuration**
- In Qubes 4.0, and maybe 4.1. although it may have been fixed in the upcoming 4.1. version, you will need to use the `Tab` key instead of the `e` key like you normally do to change settings in the Grub boot installer menu.
- It looks different to Grub, here little changes except for the bottom of the screen, which will include a brief couple of lines where you can change settings.
- You may include the kickstart script here, and you can also do other settings changes like blacklisting drivers, or enabling drivers, and so on.
- **Some BIOS cause irritating issues, and how to avoid/fix**
- One such scenario are if you cannot find your boot device despite it having worked previously, and settings have not changed in BIOS. If this happens, it often works to enter the BIOS, making no changes, and choose "save and exit". This refreshes the BIOS settings, and the drive can be booted.
- Other times the BIOS may "reset" on its own without any warning, for example if you change hardware or at any time had temporairly removed any hardware (internal hardware, not counting USB devices, etc.). If you're having issues, make sure this is not the case by checking the BIOS settings. Off-topic, but worth including: The BIOS reset can also lead to disabling the IOMMU security settings if it is disabled in the default factury profile, and if you don't notice the BIOS reset, then this will leave your system becoming vulnurable. Please consider using Anti-Evil-Maid (AEM) to protect against these, but be mindful of the trade-off's of using AEM. [You can find official information about AEM here](https://www.qubes-os.org/doc/anti-evil-maid/).
- **Disabling Secure Boot, and hidden bugs**
- Currently Qubes OS do not hold a secure boot key/license, so secure boot will not work with Qubes.
- The Qubes OS staff have stated that they do not endorse secure boot, because it has short-comings and issues.
- Currently your only option is to disable secure-boot.
- Please remember that other installed dual-boot systems that depend on secure-boot may stop working if you disable secure-boot. This isn't only Windows, but include some Linux distributions that have choosen to support secure-boot.
- In general it's also discouraged to run dual-boot systems, whether Linux, Windows or other, because it weakens the isolation protection that dom0 seeks to maximize.
- High profile targets, or just unlucky badly infected systems, make dual-boot a significant threath to dom0, encryption is not enough (anything in various device firmware (like drive firmwares), BIOS/UEFI, or Grub itself, can be infected and exploited). Keeping your system clean, preferably without previous history of previous system installs, is desireable (If this is all new to you, then you're encouraged to read up on general and common Qubes security).
- A hidden bug appears on "some" motherboards/BIOS versions, where it may not always be enough to just disable secure-boot, but also deleting the secure-boot keys (if available).
- Remember to check the motherboard manual if you can restore the keys on a later point if you need them later!
- It is unknown how common the bug is, it's probably not widespread, but it has at least one anecdotal case on a desktop ASUS Z170 Pro motherboard.
- **Unsupported graphic-cards and dual graphic-cards**
- You gain little or no benifit by putting a powerful graphiccard in dom0, unless your goal is many screens, or extreme resolutions. Most modern internal graphic cards can easily run a 4K screen, or a couple of dual-screens in 2K-3K graphic resolution.
- Some dual-graphic motherboards have adjustable BIOS settings that affects both internal and external, like shared memory or simiar effects. Be sure you check these settings if you have trouble booting.
- Do not do this if you do not know what you're doing, changing such settings could give you a black screen at boot or damage your system (especially on systems that have overclocking features, whether you intend to overclock or not, such BIOS typically have many more settings outside the overclocking section, which may or may not be dangerous for your systems well-being to change).
- One way to fix bad BIOS settings that cause a black-screen, that normally works and assuming no damage was caused, is to temporarily remove the CMOS battery on the motherboard to reset it (or switch jumpers, see your motherboard manual).
- If you have a laptop or an exotic system then it may be hard to reach such a reset functionality, but similar most laptops have simple BIOS's, which as a result means it may be less easily set to a bad setting requiring a reset (but still be careful).
- If you use an unsurported graphic-card by Qubes OS, then it requires troubleshooting (like the above kickstart graphic fix tip), or it may not be possilbe (missing drivers/support for fedora systems).
- (Nvidia/Intel graphics): If you have a dual-graphic system (Onboard-Intel/External-Nvidia), then it may be easier to go with the on-board Intel graphics which is better supported than nvidia drivers. The nouveau drivers are preferred, sincenthe offical nvidia drivers are closed source Proprietary code and shouldn't be trusted in the dom0 environment, and can also be quite troublesome to install as well.
- (AMD graphics): The onboard/external graphic cards by AMD which tend to be more supported on Linux in general, although it is uncertain if its better supported than onboard intel graphics (Onboard intel may probably generally be a bit better than AMD, but many AMD cards seem to work quite neatly as well).
- More effort is being put into making AMD graphics work in Linux, for example the Linux Kernel 4.17 will include support for AMDGPU in the kernel itself, where you no longer need to provide a newer linux-firmware package and then enable it yourself in the kernel settings during Grub start-up, but from then onwards, should just work out-of-the-box.
- This presumes the right version of AMDGPU is in the kernel (from 4.17. upwards) and that your AMD graphic-card isn't too new for the kernel (reasonable to assume within 6 months to 12 months), or possibly too old.
- Currently dom0 graphics is not passthrough but is run directly in the domo environment, and therefore does not need to have passthrough capability, however, and be mindful, that this may or may not change in Qubes 4.1. where graphics may become isolated from dom0, which may potentially bring new passthrough graphic issues to life.
- This new isolation feature may possibly be optional, just like PV/HVM/PVH, sys-usb isolation, and similar user-choices, depending on what the developers finds to be the best approach to avoid hardware conflicts, so keep this possibility in mind for the future.
<br /> <br />
@ -187,9 +231,6 @@ https://groups.google.com/forum/#!msg/qubes-users/-9qRHSkwfy8/CCx08nnTVEAJ
<br /> <br />
## Kickstart files are sometimes controversial in culture ##
Some label them for advanced users only (being too difficult to use), while others label them for noobs, or newbs, only. The beliefs, or statements, are contradictionary to each others. In reality though, kickstart files can be useful for anyone, whether made for someone who is not very skilled with computers, or useful for someone who is an advanced computer user. So it is best to keep it that way, kickstart files are useful tools that everyone can use in some way or another, don't let silly culture conjuncture influence what you use, if it is useful to you. Furthermore, anyone who have the skill level to install and use Qubes on their own, can probably also build and use their own kickstart files. They're not as scary as they might seem at first.
<br />
## Consideration before submitting updates to this doc ## ## Consideration before submitting updates to this doc ##
This doc is originally submitted by the fully independent volunteer group, Qubes Community Collaboration (QCC). You're naturally free to submit improvements of this doc to the Qubes OS staff for review on your own , but you can also choose to go through our channels at https://github.com/Qubes-Community/Contents/issues if you would like to improve the doc through the community collaboration. Feel free to start up an issue at QCC to discuss this doc and how to proceed. This potentially saves the Qubes OS staff time and resources, while still preserving transparency, and it helps improving doc PR summits further when worked out, improved, and shaped by a community. If its your first time submitting to GitHub but you would like to be independent, then we at QCC still encourage you get some GitHub experience through our channels first, before submitting anything official Qubes OS on your own. Credit to author(s) will always be preserved. This doc is originally submitted by the fully independent volunteer group, Qubes Community Collaboration (QCC). You're naturally free to submit improvements of this doc to the Qubes OS staff for review on your own , but you can also choose to go through our channels at https://github.com/Qubes-Community/Contents/issues if you would like to improve the doc through the community collaboration. Feel free to start up an issue at QCC to discuss this doc and how to proceed. This potentially saves the Qubes OS staff time and resources, while still preserving transparency, and it helps improving doc PR summits further when worked out, improved, and shaped by a community. If its your first time submitting to GitHub but you would like to be independent, then we at QCC still encourage you get some GitHub experience through our channels first, before submitting anything official Qubes OS on your own. Credit to author(s) will always be preserved.