Merge pull request #141 from lubellier/archlinux-fix

Refresh the ArchLinux build guide (4.1, guide structure, known issues…
This commit is contained in:
awokd 2021-08-01 18:44:57 +00:00 committed by GitHub
commit 9a3b618f73
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,25 +1,33 @@
# Building the 'archlinux-minimal' Qubes template # Building the 'archlinux-minimal' Qubes template
> **These instructions are for Qubes 4.0.? and 4.1.? only.** > **These instructions are for Qubes 4.0.4 and 4.1.**
Guide status:
- 4.0.4 :
- 4.1-beta1 : validated (2021-07-31) by the commit author of this line.
## Steps
### 0. Installing the 'fedora-33-minimal' Qubes template
Note: an alternative is using an fedora-{33,34} appVM.
### 0. Installing the 'fedora-32-minimal' Qubes template
#### Open a terminal in Dom0 #### Open a terminal in Dom0
Large download (~639MB); if using 'sys-whonix' as the Dom0 UpdateVM then temporarily swap to 'sys-firewall' (to speed-up download speeds). Large download (~639MB); if using 'sys-whonix' as the Dom0 UpdateVM then temporarily swap to 'sys-firewall' (to speed-up download speeds).
```console ```console
# qubes-dom0-update qubes-template-fedora-32-minimal # qubes-dom0-update qubes-template-fedora-33-minimal
``` ```
Keep in mind what Qubes OS version your installation is; used when building Qubes Components and Template(s). Keep in mind what Qubes OS version your installation is; used when building Qubes Components and Template(s).
```console ```console
# cat /etc/qubes-release # cat /etc/qubes-release
``` ```
``` ```
# qvm-run -u root fedora-32-minimal xterm # qvm-run -u root fedora-33-minimal xterm
# dnf install qubes-core-agent-passwordless-root qubes-core-agent-networking iproute # dnf install qubes-core-agent-passwordless-root qubes-core-agent-networking iproute
# exit # exit
``` ```
___ ___
### 1. Open a non-root ($) terminal in the 'fedora-32-minimal' TemplateVM. ### 1. Open a non-root ($) terminal in the 'fedora-33-minimal' TemplateVM.
> **How to see whether the `'GNUMAKEFLAGS'` or `'MAKEFLAGS'` environment variable is used: \ > **How to see whether the `'GNUMAKEFLAGS'` or `'MAKEFLAGS'` environment variable is used: \
`$ strings /usr/bin/make | grep MAKEFLAGS` \ `$ strings /usr/bin/make | grep MAKEFLAGS` \
GNU Make's `-l` set to same value as `-j` prevents CPU overcommitment.** GNU Make's `-l` set to same value as `-j` prevents CPU overcommitment.**
@ -243,11 +251,14 @@ $ make qubes-vm
$ make vmm-xen-vm $ make vmm-xen-vm
$ make core-vchan-xen-vm $ make core-vchan-xen-vm
$ make core-qubesdb-vm $ make core-qubesdb-vm
$ make core-qrexec-vm
$ make linux-utils-vm $ make linux-utils-vm
$ make core-agent-linux-vm $ make core-agent-linux-vm
$ make gui-common-vm $ make gui-common-vm
$ make gui-agent-linux-vm $ make gui-agent-linux-vm
$ make app-linux-split-gpg-vm $ make app-linux-split-gpg-vm
$ make app-linux-usb-proxy-vm
$ make meta-packages-vm
``` ```
___ ___
@ -282,10 +293,12 @@ $ ./install-templates.sh
* If the build process went smoothly, the 'archlinux' and/or 'archlinux-minimal' template will be listed in Qubes Manager. * If the build process went smoothly, the 'archlinux' and/or 'archlinux-minimal' template will be listed in Qubes Manager.
___ ___
### Debugging the build process ## Debugging the build process
Arch Linux is a [rolling](https://en.wikipedia.org/wiki/Rolling_release) distro, making it a fragile template for Qubes. Arch Linux is a [rolling](https://en.wikipedia.org/wiki/Rolling_release) distro, making it a fragile template for Qubes.
It's important to understand how to debug Qubes templates, fix, then do a pull request. It's important to understand how to debug Qubes templates, fix, then do a pull request.
See below explanations and examples which (we hope) will help you to solve the common problems, and do a pull request with your solution.
[neowutran's semi-automated 'archlinux-minimal' Qubes template builder script](https://github.com/Qubes-Community/Contents/blob/master/code/OS-administration/build-archlinux.sh). \ [neowutran's semi-automated 'archlinux-minimal' Qubes template builder script](https://github.com/Qubes-Community/Contents/blob/master/code/OS-administration/build-archlinux.sh). \
The most important part about this script is where to add custom code that is not in the Qubes OS repositories. The most important part about this script is where to add custom code that is not in the Qubes OS repositories.
@ -308,7 +321,8 @@ $ rm -Rf "$directory/qubes-src/gui-agent-linux/"
$ cp -R ~/qubes-gui-agent-linux "$directory/qubes-src/gui-agent-linux" $ cp -R ~/qubes-gui-agent-linux "$directory/qubes-src/gui-agent-linux"
``` ```
#### Example ### UseCase : Xorg
Launch the build: Launch the build:
```console ```console
$ ./build_arch.sh $ ./build_arch.sh
@ -359,7 +373,8 @@ cp -R ~/qubes-gui-agent-linux "~/qubes-builder/qubes-src/gui-agent-linux"
Then try building the template. Then try building the template.
If the template built successfully and works as expected, do a pull request on GitHub to share your fix(es). If the template built successfully and works as expected, do a pull request on GitHub to share your fix(es).
### Missing pulsecore error when building the gui-agent-linux ### UseCase: Missing pulsecore error when building the gui-agent-linux
```console ```console
$ make $ make
module-vchan-sink.c:64:10: fatal error: pulsecore/core-error.h: No such file or directory module-vchan-sink.c:64:10: fatal error: pulsecore/core-error.h: No such file or directory
@ -385,12 +400,61 @@ $ cd $HOME/qubes-builder/qubes-src/gui-agent-linux/pulse/
$ ln -sr pulsecore-14.1 pulsecore-14.2 $ ln -sr pulsecore-14.1 pulsecore-14.2
``` ```
### Debugging Qubes' runtime ### Known issues
### sudo: effective uid is not 0
If you get the below error with fedora 34:
<details><summary>Details of the `sudo: effective uid is not 0` error</summary>
```
==> Making package: qubes-vm-xen 4.14.2-1 (Sat Jul 31 15:17:57 2021)
==> Checking runtime dependencies...
==> Installing missing dependencies...
sudo: effective uid is not 0, is /usr/sbin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
==> ERROR: 'pacman' failed to install missing dependencies.
==> Missing dependencies:
-> python
-> bridge-utils
-> python-lxml
-> lzo
-> yajl
==> Checking buildtime dependencies...
==> Installing missing dependencies...
sudo: effective uid is not 0, is /usr/sbin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
==> ERROR: 'pacman' failed to install missing dependencies.
==> Missing dependencies:
-> wget
-> git
-> bin86
-> dev86
-> acpica
-> yajl
-> pixman
==> ERROR: Could not resolve all dependencies.
make[2]: *** [/home/user/qubes-builder/qubes-src/builder-archlinux/Makefile.archlinux:138: dist-package] Error 8
make[1]: *** [Makefile.generic:191: packages] Error 1
make: *** [Makefile:259: vmm-xen-vm] Error 1
```
</details>
The partition used for the build process needs the suid option, in the qubes-builder remount script.
In the `/home/user/qubes-builder/scripts/remount` file change the line:
```
sudo mount "$mountpoint" -o dev,remount
```
with:
```
sudo mount "$mountpoint" -o dev,suid,remount
```
## Debugging the Qubes-ArchLinux runtime
If you are able to launch a terminal and execute command, utilize your Arch-fu to fix the issue. \ If you are able to launch a terminal and execute command, utilize your Arch-fu to fix the issue. \
If unable to launch a terminal, shutdown the qube, create a new DisposableVM, [mount an Arch Linux ISO in a DisposableVM](https://www.qubes-os.org/doc/mount-lvm-image/), chroot to it, and then use your Arch-fu. \ If unable to launch a terminal, shutdown the qube, create a new DisposableVM, [mount an Arch Linux ISO in a DisposableVM](https://www.qubes-os.org/doc/mount-lvm-image/), chroot to it, and then use your Arch-fu. \
Example of this kind of debugging [that happened on Reddit](https://old.reddit.com/r/Qubes/comments/eg50ne/built_arch_linux_template_and_installed_but_app/). Example of this kind of debugging [that happened on Reddit](https://old.reddit.com/r/Qubes/comments/eg50ne/built_arch_linux_template_and_installed_but_app/).
#### Question ### Question
Hello. Hello.
I just built an 'archlinux' template and moved it to Dom0, then installed the template. I just built an 'archlinux' template and moved it to Dom0, then installed the template.
Afterwards I tried to open a terminal in the 'archlinux' TemplateVM, but it shows nothing. \ Afterwards I tried to open a terminal in the 'archlinux' TemplateVM, but it shows nothing. \
@ -412,7 +476,7 @@ audit: type=1131 audit(some number): pid=1 uid=0 auid=some number ses=some numbe
I tried to rebuild the 'archlinux' template and got the same issue. \ I tried to rebuild the 'archlinux' template and got the same issue. \
How can I debug this Qube? How can I debug this Qube?
#### Answer ### Answer
The issue came from a systemd unit named "qubes-mount-dirs". We want to know more about that. \ The issue came from a systemd unit named "qubes-mount-dirs". We want to know more about that. \
We can't execute command into the qube, so let's shut it down. We can't execute command into the qube, so let's shut it down.
Then, we mount the 'archlinux' root disk into a DisposableVM ( Then, we mount the 'archlinux' root disk into a DisposableVM (
@ -506,7 +570,8 @@ I rebuild the template with those modification, and it is working as expected.
I will send a pull request. Does someone have a better idea on "Why ***`diffutils`*** was not installed in the first place?" ? I will send a pull request. Does someone have a better idea on "Why ***`diffutils`*** was not installed in the first place?" ?
[The commit](https://github.com/neowutran/qubes-builder-archlinux/commit/09a435fcc6bdcb19144d198ea20f7a27826c1d80) [The commit](https://github.com/neowutran/qubes-builder-archlinux/commit/09a435fcc6bdcb19144d198ea20f7a27826c1d80)
### Creating a archlinux repository ___
## Creating an ArchLinux repository
Once the template have been build, you could use the generated archlinux packages to create your own archlinux repository for QubesOS packages. Once the template have been build, you could use the generated archlinux packages to create your own archlinux repository for QubesOS packages.
You need to: You need to:
* Sign the packages with your GPG key * Sign the packages with your GPG key