Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-28 00:39:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Import documentation converted with pandoc -f rst -t markdown_github and README.md from qubes-app-linux-tor

Browse Source
This commit is contained in:
Hakisho Nukama 2015-05-05 17:24:29 +00:00
parent 55d1e75409
commit 0db15c5745
No known key found for this signature in database
GPG Key ID: F942FF5D3C618D64
22 changed files with 1299 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Dom0Tools/QvmAddAppvm.md
View File

@ -5,4 +5,39 @@ permalink: /doc/Dom0Tools/QvmAddAppvm/
redirect_from: /wiki/Dom0Tools/QvmAddAppvm/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-add-appvm.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-add-appvm.rst;hb=master,%20text/x-rst))
qvm-add-appvm
=============
NAME
----
qvm-add-appvm - add an already installed appvm to the Qubes DB
WARNING: Noramlly you would not need this command, and you would use qvm-create instead!
Date
2012-04-10
SYNOPSIS
--------
qvm-add-appvm [options] \<appvm-name\> \<vm-template-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-p DIR\_PATH, --path=DIR\_PATH
Specify path to the template directory
-c CONF\_FILE, --conf=CONF\_FILE
Specify the Xen VM .conf file to use(relative to the template dir path)
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

38
Dom0Tools/QvmAddTemplate.md
View File

@ -5,4 +5,40 @@ permalink: /doc/Dom0Tools/QvmAddTemplate/
redirect_from: /wiki/Dom0Tools/QvmAddTemplate/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-add-template.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-add-template.rst;hb=master,%20text/x-rst))
qvm-add-template
================
NAME
----
qvm-add-template - adds an already installed template to the Qubes DB
Date
2012-04-10
SYNOPSIS
--------
qvm-add-template [options] \<vm-template-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-p DIR\_PATH, --path=DIR\_PATH
Specify path to the template directory
-c CONF\_FILE, --conf=CONF\_FILE
Specify the Xen VM .conf file to use(relative to the template dir path)
--rpm
Template files have been installed by RPM
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

32
Dom0Tools/QvmBackup.md
View File

@ -5,4 +5,34 @@ permalink: /doc/Dom0Tools/QvmBackup/
redirect_from: /wiki/Dom0Tools/QvmBackup/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-backup.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-backup.rst;hb=master,%20text/x-rst))
qvm-backup
==========
NAME
----
qvm-backup
Date
2012-04-10
SYNOPSIS
--------
qvm-backup [options] \<backup-dir-path\>
OPTIONS
-------
-h, --help
Show this help message and exit
-x EXCLUDE\_LIST, --exclude=EXCLUDE\_LIST
Exclude the specified VM from backup (might be repeated)
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

53
Dom0Tools/QvmBackupRestore.md
View File

@ -5,4 +5,55 @@ permalink: /doc/Dom0Tools/QvmBackupRestore/
redirect_from: /wiki/Dom0Tools/QvmBackupRestore/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-backup-restore.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-backup-restore.rst;hb=master,%20text/x-rst))
qvm-backup-restore
==================
NAME
----
qvm-backup-restore - restores Qubes VMs from backup
Date
2012-04-10
SYNOPSIS
--------
qvm-backup-restore [options] \<backup-dir\>
OPTIONS
-------
-h, --help
Show this help message and exit
--skip-broken
Do not restore VMs that have missing templates or netvms
--ignore-missing
Ignore missing templates or netvms, restore VMs anyway
--skip-conflicting
Do not restore VMs that are already present on the host
--force-root
Force to run, even with root privileges
--replace-template=REPLACE\_TEMPLATE
Restore VMs using another template, syntax: old-template-name:new-template-name (might be repeated)
-x EXCLUDE, --exclude=EXCLUDE
Skip restore of specified VM (might be repeated)
--skip-dom0-home
Do not restore dom0 user home dir
--ignore-username-mismatch
Ignore dom0 username mismatch while restoring homedir
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

50
Dom0Tools/QvmBlock.md
View File

@ -5,4 +5,52 @@ permalink: /doc/Dom0Tools/QvmBlock/
redirect_from: /wiki/Dom0Tools/QvmBlock/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-block.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-block.rst;hb=master,%20text/x-rst))
qvm-block
=========
NAME
----
qvm-block - list/set VM PCI devices.
Date
2012-04-10
SYNOPSIS
--------
qvm-block -l [options]
qvm-block -a [options] \<device\> \<vm-name\>
qvm-block -d [options] \<device\>
qvm-block -d [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-l, --list
List block devices
-a, --attach
Attach block device to specified VM
-d, --detach
Detach block device
-f FRONTEND, --frontend=FRONTEND
Specify device name at destination VM [default: xvdi]
--ro
Force read-only mode
--no-auto-detach
Fail when device already connected to other VM
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

35
Dom0Tools/QvmClone.md
View File

@ -5,4 +5,37 @@ permalink: /doc/Dom0Tools/QvmClone/
redirect_from: /wiki/Dom0Tools/QvmClone/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-clone.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-clone.rst;hb=master,%20text/x-rst))
qvm-clone
=========
NAME
----
qvm-clone - clones an existing VM by copying all its disk files
Date
2012-04-10
SYNOPSIS
--------
qvm-clone [options] \<src-name\> \<new-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-q, --quiet
Be quiet
-p DIR\_PATH, --path=DIR\_PATH
Specify path to the template directory
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

71
Dom0Tools/QvmCreate.md
View File

@ -5,4 +5,73 @@ permalink: /doc/Dom0Tools/QvmCreate/
redirect_from: /wiki/Dom0Tools/QvmCreate/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-create.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-create.rst;hb=master,%20text/x-rst))
qvm-create
==========
NAME
----
qvm-create - creates a new VM
Date
2012-04-10
SYNOPSIS
--------
qvm-create [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-t TEMPLATE, --template=TEMPLATE
Specify the TemplateVM to use
-l LABEL, --label=LABEL
Specify the label to use for the new VM (e.g. red, yellow, green, ...)
-p, --proxy
Create ProxyVM
-n, --net
Create NetVM
-H, --hvm
Create HVM (standalone, unless --template option used)
--hvm-template
Create HVM template
-R ROOT\_MOVE, --root-move-from=ROOT\_MOVE
Use provided root.img instead of default/empty one (file will be MOVED)
-r ROOT\_COPY, --root-copy-from=ROOT\_COPY
Use provided root.img instead of default/empty one (file will be COPIED)
-s, --standalone
Create standalone VM - independent of template
-m MEM, --mem=MEM
Initial memory size (in MB)
-c VCPUS, --vcpus=VCPUS
VCPUs count
-i, --internal
Create VM for internal use only (hidden in qubes-manager, no appmenus)
--force-root
Force to run, even with root privileges
-q, --quiet
Be quiet
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

38
Dom0Tools/QvmCreateDefaultDvm.md
View File

@ -5,4 +5,40 @@ permalink: /doc/Dom0Tools/QvmCreateDefaultDvm/
redirect_from: /wiki/Dom0Tools/QvmCreateDefaultDvm/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-create-default-dvm.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-create-default-dvm.rst;hb=master,%20text/x-rst))
qvm-create-default-dvm
======================
NAME
----
qvm-create-default-dvm - creates a default disposable VM
Date
2012-04-10
SYNOPSIS
--------
qvm-create-default-dvm templatename|--default-template|--used-template [script-name|--default-script]
OPTIONS
-------
templatename
Base DispVM on given template. The command will create AppVM named after template with "-dvm" suffix. This VM will be used to create DispVM savefile. If you want to customize DispVM, use this VM - take a look at <https://wiki.qubes-os.org/wiki/UserDoc/DispVMCustomization>
--default-template
Use default template for the DispVM
--used-template
Use the same template as earlier
--default-script
Use default script for seeding DispVM home.
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

58
Dom0Tools/QvmFirewall.md
View File

@ -5,4 +5,60 @@ permalink: /doc/Dom0Tools/QvmFirewall/
redirect_from: /wiki/Dom0Tools/QvmFirewall/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-firewall.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-firewall.rst;hb=master,%20text/x-rst))
qvm-firewall
============
NAME
----
qvm-firewall
Date
2012-04-10
SYNOPSIS
--------
qvm-firewall [-n] \<vm-name\> [action] [rule spec]
Rule specification can be one of:
1. address|hostname[/netmask] tcp|udp port[-port]
2. address|hostname[/netmask] tcp|udp service\_name
3. address|hostname[/netmask] any
OPTIONS
-------
-h, --help
Show this help message and exit
-l, --list
List firewall settings (default action)
-a, --add
Add rule
-d, --del
Remove rule (given by number or by rule spec)
-P SET\_POLICY, --policy=SET\_POLICY
Set firewall policy (allow/deny)
-i SET\_ICMP, --icmp=SET\_ICMP
Set ICMP access (allow/deny)
-D SET\_DNS, --dns=SET\_DNS
Set DNS access (allow/deny)
-Y SET\_YUM\_PROXY, --yum-proxy=SET\_YUM\_PROXY
Set access to Qubes yum proxy (allow/deny). *Note:* if set to "deny", access will be rejected even if policy set to "allow"
-n, --numeric
Display port numbers instead of services (makes sense only with --list)
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

29
Dom0Tools/QvmGrowPrivate.md
View File

@ -5,4 +5,31 @@ permalink: /doc/Dom0Tools/QvmGrowPrivate/
redirect_from: /wiki/Dom0Tools/QvmGrowPrivate/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-grow-private.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-grow-private.rst;hb=master,%20text/x-rst))
qvm-grow-private
================
NAME
----
qvm-grow-private - increase private storage capacity of a specified VM
Date
2012-04-10
SYNOPSIS
--------
qvm-grow-private \<vm-name\> \<size\>
OPTIONS
-------
-h, --help
Show this help message and exit
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

29
Dom0Tools/QvmKill.md
View File

@ -5,4 +5,31 @@ permalink: /doc/Dom0Tools/QvmKill/
redirect_from: /wiki/Dom0Tools/QvmKill/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-kill.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-kill.rst;hb=master,%20text/x-rst))
qvm-kill
========
NAME
----
qvm-kill - kills the specified VM
Date
2012-04-10
SYNOPSIS
--------
qvm-kill [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

53
Dom0Tools/QvmLs.md
View File

@ -5,4 +5,55 @@ permalink: /doc/Dom0Tools/QvmLs/
redirect_from: /wiki/Dom0Tools/QvmLs/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-ls.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-ls.rst;hb=master,%20text/x-rst))
qvm-ls
======
NAME
----
qvm-ls - list VMs and various information about their state
Date
2012-04-03
SYNOPSIS
--------
qvm-ls [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show help message and exit
-n, --network
Show network addresses assigned to VMs
-c, --cpu
Show CPU load
-m, --mem
Show memory usage
-d, --disk
Show VM disk utilization statistics
-i, --ids
Show Qubes and Xen id
-k, --kernel
Show VM kernel options
-b, --last-backup
Show date of last VM backup
--raw-list
List only VM names one per line
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

40
Dom0Tools/QvmPci.md
View File

@ -5,4 +5,42 @@ permalink: /doc/Dom0Tools/QvmPci/
redirect_from: /wiki/Dom0Tools/QvmPci/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-pci.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-pci.rst;hb=master,%20text/x-rst))
qvm-pci
=======
NAME
----
qvm-pci - list/set VM PCI devices
Date
2012-04-11
SYNOPSIS
--------
qvm-pci -l [options] \<vm-name\>
qvm-pci -a [options] \<vm-name\> \<device\>
qvm-pci -d [options] \<vm-name\> \<device\>
OPTIONS
-------
-h, --help
Show this help message and exit
-l, --list
List VM PCI devices
-a, --add
Add a PCI device to specified VM
-d, --delete
Remove a PCI device from specified VM
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

139
Dom0Tools/QvmPrefs.md
View File

@ -5,4 +5,141 @@ permalink: /doc/Dom0Tools/QvmPrefs/
redirect_from: /wiki/Dom0Tools/QvmPrefs/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-prefs.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-prefs.rst;hb=master,%20text/x-rst))
qvm-prefs
=========
NAME
----
qvm-prefs - list/set various per-VM properties
Date
2012-04-11
SYNOPSIS
--------
qvm-prefs -l [options] \<vm-name\>
qvm-prefs -s [options] \<vm-name\> \<property\> [...]
OPTIONS
-------
-h, --help
Show this help message and exit
-l, --list
List properties of a specified VM
-s, --set
Set properties of a specified VM
PROPERTIES
----------
include\_in\_backups
Accepted values: `True`, `False`
Control whenever this VM will be included in backups by default (for now works only in qubes-manager). You can always manually select or deselect any VM for backup.
pcidevs
PCI devices assigned to the VM. Should be edited using qvm-pci tool.
label
Accepted values: `red`, `orange`, `yellow`, `green`, `gray`, `blue`, `purple`, `black`
Color of VM label (icon, appmenus, windows border). If VM is running, change will be applied at first VM restart.
netvm
Accepted values: netvm name, `default`, `none`
To which NetVM connect. Setting to `default` will follow system-global default NetVM (managed by qubes-prefs). Setting to `none` will disable networking in this VM.
dispvm\_netvm
Accepted values: netvm name, `default`, `none`
Which NetVM should be used for Disposable VMs started by this one. `default` is to use the same NetVM as the VM itself.
maxmem
Accepted values: memory size in MB
Maximum memory size available for this VM. Dynamic memory management (aka qmemman) will not be able to balloon over this limit. For VMs with qmemman disabled, this will be overridden by *memory* property (at VM startup).
memory
Accepted values: memory size in MB
Initial memory size for VM. This should be large enough to allow VM startup - before qmemman starts managing memory for this VM. For VM with qmemman disabled, this is static memory size.
kernel
Accepted values: kernel version, `default`, `none`
Kernel version to use (only for PV VMs). Available kernel versions will be listed when no value given (there are in /var/lib/qubes/vm-kernels). Setting to `default` will follow system-global default kernel (managed via qubes-prefs). Setting to `none` will use "kernels" subdir in VM directory - this allows having VM-specific kernel; also this the only case when /lib/modules is writable from within VM.
template
Accepted values: TemplateVM name
TemplateVM on which VM base. It can be changed only when VM isn't running.
vcpus
Accepted values: no of CPUs
Number of CPU (cores) available to VM. Some VM types (eg DispVM) will not work properly with more than one CPU.
kernelopts
Accepted values: string, `default`
VM kernel parameters (available only for PV VMs). This can be used to workaround some hardware specific problems (eg for NetVM). Setting to `default` will use some reasonable defaults (currently different for VMs with PCI devices and without). Some helpful options (for debugging purposes): `earlyprintk=xen`, `init=/bin/bash`
name
Accepted values: alphanumerical name
Name of the VM. Can be only changed when VM isn't running.
drive
Accepted values: [hd:|cdrom:][backend-vm:]path
Additional drive for the VM (available only for HVMs). This can be used to attach installation image. `path` can be file or physical device (eg. /dev/sr0). The same syntax can be used in qvm-start --drive - to attach drive only temporarily.
mac
Accepted values: MAC address, `auto`
Can be used to force specific of virtual ethernet card in the VM. Setting to `auto` will use automatic-generated MAC - based on VM id. Especially useful when some licencing depending on static MAC address. For template-based HVM `auto` mode means to clone template MAC.
default\_user
Accepted values: username
Default user used by qvm-run. Note that it make sense only on non-standard template, as the standard one always have "user" account.
debug
Accepted values: `on`, `off`
Enables debug mode for VM. This can be used to turn on/off verbose logging in many qubes components at once (gui virtualization, VM kernel, some other services). For template-based HVM, enabling debug mode also disables automatic reset root.img (actually volatile.img) before each VM startup, so changes made to root filesystem stays intact. To force reset root.img when debug mode enabled, either change something in the template (simple start+stop will do, even touch its root.img is enough), or remove VM's volatile.img (check the path with qvm-prefs).
qrexec\_installed
Accepted values: `True`, `False`
This HVM have qrexec agent installed. When VM have qrexec agent installed, one can use qvm-run to start VM process, VM will benefit from Qubes RPC services (like file copy, or inter-vm clipboard). This option will be automatically turned on during Qubes Windows Tools installation, but if you install qrexec agent in some other OS, you need to turn this option on manually.
guiagent\_installed
Accepted values: `True`, `False`
This HVM have gui agent installed. This option disables full screen GUI virtualization and enables per-window seemless GUI mode. This option will be automatically turned on during Qubes Windows Tools installation, but if you install qubes gui agent in some other OS, you need to turn this option on manually. You can turn this option off to troubleshoot some early HVM OS boot problems (enter safe mode etc), but the option will be automatically enabled at first VM normal startup (and will take effect from the next startup).
*Notice:* when Windows GUI agent is installed in the VM, SVGA device (used to full screen video) is disabled, so even if you disable this option, you will not get functional full desktop access (on normal VM startup). Use some other means for that (VNC, RDP or so).
autostart
Accepted values: `True`, `False`
Start the VM during system startup. The default netvm is autostarted regardless of this setting.
timezone
Accepted values: `localtime`, time offset in seconds
Set emulated HVM clock timezone. Use `localtime` (the default) to use the same time as dom0 have. Note that HVM will get only clock value, not the timezone itself, so if you use `localtime` setting, OS inside of HVM should also be configured to treat hardware clock as local time (and have proper timezone set).
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

38
Dom0Tools/QvmRemove.md
View File

@ -5,4 +5,40 @@ permalink: /doc/Dom0Tools/QvmRemove/
redirect_from: /wiki/Dom0Tools/QvmRemove/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-remove.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-remove.rst;hb=master,%20text/x-rst))
qvm-remove
==========
NAME
----
qvm-remove - remove a VM
Date
2012-04-11
SYNOPSIS
--------
qvm-remove [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-q, --quiet
Be quiet
--just-db
Remove only from the Qubes Xen DB, do not remove any files
--force-root
Force to run, even with root privileges
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

32
Dom0Tools/QvmRevertTemplateChanges.md
View File

@ -5,4 +5,34 @@ permalink: /doc/Dom0Tools/QvmRevertTemplateChanges/
redirect_from: /wiki/Dom0Tools/QvmRevertTemplateChanges/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-revert-template-changes.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-revert-template-changes.rst;hb=master,%20text/x-rst))
qvm-revert-template-changes
===========================
NAME
----
qvm-revert-template-changes
Date
2012-04-11
SYNOPSIS
--------
qvm-revert-template-changes [options] \<template-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
--force
Do not prompt for comfirmation
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

68
Dom0Tools/QvmRun.md
View File

@ -5,4 +5,70 @@ permalink: /doc/Dom0Tools/QvmRun/
redirect_from: /wiki/Dom0Tools/QvmRun/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-run.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-run.rst;hb=master,%20text/x-rst))
qvm-run
=======
NAME
----
qvm-run - run a command on a specified VM
Date
2012-04-11
SYNOPSIS
--------
qvm-run [options] [\<vm-name\>] [\<cmd\>]
OPTIONS
-------
-h, --help
Show this help message and exit
-q, --quiet
Be quiet
-a, --auto
Auto start the VM if not running
-u USER, --user=USER
Run command in a VM as a specified user
--tray
Use tray notifications instead of stdout
--all
Run command on all currently running VMs (or all paused, in case of --unpause)
--exclude=EXCLUDE\_LIST
When --all is used: exclude this VM name (might be repeated)
--wait
Wait for the VM(s) to shutdown
--shutdown
(deprecated) Do 'xl shutdown' for the VM(s) (can be combined this with --all and --wait)
--pause
Do 'xl pause' for the VM(s) (can be combined this with --all and --wait)
--unpause
Do 'xl unpause' for the VM(s) (can be combined this with --all and --wait)
-p, --pass-io
Pass stdin/stdout/stderr from remote program
--localcmd=LOCALCMD
With --pass-io, pass stdin/stdout/stderr to the given program
--force
Force operation, even if may damage other VMs (eg. shutdown of NetVM)
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

127
Dom0Tools/QvmService.md
View File

@ -5,4 +5,129 @@ permalink: /doc/Dom0Tools/QvmService/
redirect_from: /wiki/Dom0Tools/QvmService/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-service.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-service.rst;hb=master,%20text/x-rst))
qvm-service
===========
NAME
----
qvm-service - manage (Qubes-specific) services started in VM
Date
2012-05-30
SYNOPSIS
--------
qvm-service [-l] \<vmname\>
qvm-service [-e|-d|-D] \<vmname\> \<service\>
OPTIONS
-------
-h, --help
Show this help message and exit
-l, --list
List services (default action)
-e, --enable
Enable service
-d, --disable
Disable service
-D, --default
Reset service to its default state (remove from the list). Default state means "lets VM choose" and can depend on VM type (NetVM, AppVM etc).
SUPPORTED SERVICES
------------------
This list can be incomplete as VM can implement any additional service without knowlege of qubes-core code.
meminfo-writer
Default: enabled everywhere excluding NetVM
This service reports VM memory usage to dom0, which effectively enables dynamic memory management for the VM.
*Note:* this service is enforced to be set by dom0 code. If you try to remove it (reset to defult state), will be recreated with the rule: enabled if VM have no PCI devices assigned, otherwise disabled.
qubes-dvm
Default: disabled
Used internally when creating DispVM savefile.
qubes-firewall
Default: enabled only in ProxyVM
Dynamic firewall manager, based on settings in dom0 (qvm-firewall, firewall tab in qubes-manager). This service is not supported in netvms.
qubes-network
Default: enabled only in NetVM and ProxyVM
Expose network for other VMs. This includes enabling network forwarding, MASQUERADE, DNS redirection and basic firewall.
qubes-netwatcher
Default: enabled only in ProxyVM
Monitor IP change notification from NetVM. When received, reload qubes-firewall service (to force DNS resolution). This service makes sense only with qubes-firewall enabled.
qubes-update-check
Default: enabled
Notify dom0 about updates available for this VM. This is shown in qubes-manager as 'update-pending' flag.
cups
Default: enabled only in AppVM
Enable CUPS service. The user can disable cups in VM which do not need printing to speed up booting.
cron
Default: disabled
Enable CRON service.
network-manager
Default: enabled in NetVM
Enable NetworkManager. Only VM with direct access to network device needs this service, but can be useful in ProxyVM to ease VPN setup.
ntpd
Default: disabled
Enable NTPD service. By default Qubes calls ntpdate every 6 minutes in selected VM (aka ClockVM), then propagate the result using qrexec calls. Enabling ntpd *do not* disable this behaviour.
qubes-yum-proxy
Deprecated name for qubes-updates-proxy.
qubes-updates-proxy
Default: enabled in NetVM
Provide proxy service, which allow access only to yum repos. Filtering is done based on URLs, so it shouldn't be used as leak control (pretty easy to bypass), but is enough to prevent some erroneous user actions.
yum-proxy-setup
Deprecated name for updates-proxy-setup.
updates-proxy-setup
Default: enabled in AppVM (also in templates)
Setup yum at startup to use qubes-yum-proxy service.
*Note:* this service is automatically enabled when you allow VM to access yum proxy (in firewall settings) and disabled when you deny access to yum proxy.
disable-default-route
Default: disabled
Disables the default route for networking. Enabling this service will prevent the creation of the default route, but the VM will still be able to reach it's direct neighbors. The functionality is implemented in /usr/lib/qubes/setup-ip.
disable-dns-server
Default: disabled
Enabling this service will result in an empty /etc/resolv.conf. The functionality is implemented in /usr/lib/qubes/setup-ip.
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

44
Dom0Tools/QvmShutdown.md
View File

@ -5,4 +5,46 @@ permalink: /doc/Dom0Tools/QvmShutdown/
redirect_from: /wiki/Dom0Tools/QvmShutdown/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-shutdown.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-shutdown.rst;hb=master,%20text/x-rst))
qvm-shutdown
============
NAME
----
qvm-shutdown
Date
2012-04-11
SYNOPSIS
--------
qvm-shutdown [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-q, --quiet
Be quiet
--force
Force operation, even if may damage other VMs (eg. shutdown of NetVM)
--wait
Wait for the VM(s) to shutdown
--all
Shutdown all running VMs
--exclude=EXCLUDE\_LIST
When --all is used: exclude this VM name (might be repeated)
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

44
Dom0Tools/QvmStart.md
View File

@ -5,4 +5,46 @@ permalink: /doc/Dom0Tools/QvmStart/
redirect_from: /wiki/Dom0Tools/QvmStart/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-start.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-start.rst;hb=master,%20text/x-rst))
qvm-start
=========
NAME
----
qvm-start - start a specified VM
Date
2012-04-11
SYNOPSIS
--------
qvm-start [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
-q, --quiet
Be quiet
--no-guid
Do not start the GUId (ignored)
--console
Attach debugging console to the newly started VM
--dvm
Do actions necessary when preparing DVM image
--custom-config=CUSTOM\_CONFIG
Use custom Xen config instead of Qubes-generated one
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

29
Dom0Tools/QvmTemplateCommit.md
View File

@ -5,4 +5,31 @@ permalink: /doc/Dom0Tools/QvmTemplateCommit/
redirect_from: /wiki/Dom0Tools/QvmTemplateCommit/
---
[Include(http://git.qubes-os.org/?p=marmarek/core-admin.git;a=blob\_plain;f=doc/qvm-tools/qvm-template-commit.rst;hb=master, text/x-rst)?](/wiki/Dom0Tools/Include(http%3A/git.qubes-os.org?p=marmarek/core-admin.git;a=blob_plain;f=doc/qvm-tools/qvm-template-commit.rst;hb=master,%20text/x-rst))
qvm-template-commit
===================
NAME
----
qvm-template-commit
Date
2012-04-11
SYNOPSIS
--------
qvm-template-commit [options] \<vm-name\>
OPTIONS
-------
-h, --help
Show this help message and exit
AUTHORS
-------
Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
Marek Marczykowski \<marmarek at invisiblethingslab dot com\>

242
UserDoc/TorVM.md
View File

@ -5,13 +5,243 @@ permalink: /doc/UserDoc/TorVM/
redirect_from: /wiki/UserDoc/TorVM/
---
**TEXTError: Failed to load processor -1-1STARTcode-1-1TEXTMarkdown-1-1ENDcode-1-1TEXT-1-1**
No macro or processor named 'Markdown' found
Known issues:
-------------
- [Service doesn't start without (even empty) user torrc](https://groups.google.com/d/msg/qubes-users/fyBVmxIpbSs/R5mxUcIEZAQJ)
- [Service doesn't start without (even empty) user torrc](https://groups.google.com/d/msg/qubes-users/fyBVmxIpbSs/R5mxUcIEZAQJ)
Qubes TorVM (qubes-tor)
==========================
Qubes TorVM is a ProxyVM service that provides torified networking to all its
clients.
By default, any AppVM using the TorVM as its NetVM will be fully torified, so
even applications that are not Tor aware will be unable to access the outside
network directly.
Moreover, AppVMs running behind a TorVM are not able to access globally
identifying information (IP address and MAC address).
Due to the nature of the Tor network, only IPv4 TCP and DNS traffic is allowed.
All non-DNS UDP and IPv6 traffic is silently dropped.
See [this article](http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html) for a description of the concept, architecture, and the original implementation.
## Warning + Disclaimer
1. Qubes TorVM is produced independently from the Tor(R) anonymity software and
carries no guarantee from The Tor Project about quality, suitability or
anything else.
2. Qubes TorVM is not a magic anonymizing solution. Protecting your identity
requires a change in behavior. Read the "Protecting Anonymity" section
below.
3. Traffic originating from the TorVM itself **IS NOT** routed through Tor.
This includes system updates to the TorVM. Only traffic from VMs using TorVM
as their NetVM is torified.
Installation
============
0. *(Optional)* If you want to use a separate vm template for your TorVM
qvm-clone fedora-20-x64 fedora-20-x64-net
1. In dom0, create a proxy vm and disable unnecessary services and enable qubes-tor
qvm-create -p torvm
qvm-service torvm -d qubes-netwatcher
qvm-service torvm -d qubes-firewall
qvm-service torvm -e qubes-tor
# if you created a new template in the previous step
qvm-prefs torvm -s template fedora-20-x64-net
2. From your template vm, install the torproject Fedora repo
sudo yum install qubes-tor-repo
3. Then, in the template, install the TorVM init scripts
sudo yum install qubes-tor
5. Configure an AppVM to use TorVM as its netvm (example a vm named anon-web)
qvm-prefs -s anon-web netvm torvm
... repeat for other appvms ...
6. Shutdown templateVM.
7. Set prefs of torvm to use your default netvm or firewallvm as its NetVM
8. Start the TorVM and any AppVM you have configured
9. Execute in TorVM (will be not necessary in R2 Beta3):
sudo mkdir /rw/usrlocal/etc/qubes-tor
sudo touch /rw/usrlocal/etc/qubes-tor/torrc
sudo service qubes-tor restart
10. From the AppVM, verify torified connectivity
curl https://check.torproject.org
### Troubleshooting ###
1. Check if the qubes-tor service is running (on the torvm)
[user@torvm] $ sudo service qubes-tor status
2. Tor logs to syslog, so to view messages use
[user@torvm] $ sudo grep Tor /var/log/messages
3. Restart the qubes-tor service (and repeat 1-2)
[user@torvm] $ sudo service qubes-tor restart
Usage
=====
Applications should "just work" behind a TorVM, however there are some steps
you can take to protect anonymity and increase performance.
## Protecting Anonymity
The TorVM only purports to prevent the leaking of two identifiers:
1. WAN IP Address
2. NIC MAC Address
This is accomplished through transparent TCP and transparent DNS proxying by
the TorVM.
The TorVM cannot anonymize information stored or transmitted from your AppVMs
behind the TorVM.
*Non-comprehensive* list of identifiers TorVM does not protect:
* Time zone
* User names and real name
* Name+version of any client (e.g. IRC leaks name+version through CTCP)
* Metadata in files (e.g., exif data in images, author name in PDFs)
* License keys of non-free software
### Further Reading
* [Information on protocol leaks](https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#Protocolleaks)
* [Official Tor Usage Warning](https://www.torproject.org/download/download-easy.html.en#warning)
* [Tor Browser Design](https://www.torproject.org/projects/torbrowser/design/)
## Performance
In order to mitigate identity correlation TorVM makes use of Tor's new [stream
isolation feature][stream-isolation]. Read "Threat Model" below for more
information.
However, this isn't desirable in all situations, particularly web browsing.
These days loading a single web page requires fetching resources (images,
javascript, css) from a dozen or more remote sources. Moreover, the use of
IsolateDestAddr in a modern web browser may create very uncommon HTTP behavior
patterns, that could ease fingerprinting.
Additionally, you might have some apps that you want to ensure always share a
Tor circuit or always get their own.
For these reasons TorVM ships with two open SOCKS5 ports that provide Tor
access with different stream isolation settings:
* Port 9050 - Isolates by SOCKS Auth and client address only
Each AppVM gets its own circuit, and each app using a unique SOCKS
user/pass gets its own circuit
* Port 9049 - Isolates client + estination port, address, and by SOCKS Auth
Same as default settings listed above, but additionally traffic
is isolated based on destination port and destination address.
## Custom Tor Configuration
Default tor settings are found in the following file and are the same across
all TorVMs.
/usr/lib/qubes-tor/torrc
You can override these settings in your TorVM, or provide your own custom
settings by appending them to:
/rw/usrlocal/etc/qubes-tor/torrc
For information on tor configuration settings `man tor`
Threat Model
============
TorVM assumes the same Adversary Model as [TorBrowser][tor-threats], but does
not, by itself, have the same security and privacy requirements.
## Proxy Obedience
The primary security requirement of TorVM is *Proxy Obedience*.
Client AppVMs MUST NOT bypass the Tor network and access the local physical
network, internal Qubes network, or the external physical network.
Proxy Obedience is assured through the following:
1. All TCP traffic from client VMs is routed through Tor
2. All DNS traffic from client VMs is routed through Tor
3. All non-DNS UDP traffic from client VMs is dropped
4. Reliance on the [Qubes OS network model][qubes-net] to enforce isolation
## Mitigate Identity Correlation
TorVM SHOULD prevent identity correlation among network services.
Without stream isolation, all traffic from different activities or "identities"
in different applications (e.g., web browser, IRC, email) end up being routed
through the same tor circuit. An adversary could correlate this activity to a
single pseudonym.
TorVM uses the default stream isolation settings for transparently torified
traffic. While more paranoid options are available, they are not enabled by
default because they decrease performance and in most cases don't help
anonymity (see [this tor-talk thread][stream-isolation-explained])
By default TorVM does not use the most paranoid stream isolation settings for
transparently torified traffic due to performance concerns. By default TorVM
ensures that each AppVM will use a separate tor circuit (`IsolateClientAddr`).
For more paranoid use cases the SOCKS proxy port 9049 is provided that has all
stream isolation options enabled. User applications will require manual
configuration to use this socks port.
Future Work
===========
* Integrate Vidalia
* Create Tor Browser packages w/out bundled tor
* Use local DNS cache to speedup queries (pdnsd)
* Support arbitrary [DNS queries][dns]
* Fix Tor's openssl complaint
* Support custom firewall rules (to support running a relay)
Acknowledgements
================
Qubes TorVM is inspired by much of the previous work done in this area of
transparent torified solutions. Notably the following:
* [adrelanos](mailto:adrelanos@riseup.net) for his work on [aos/Whonix](https://sourceforge.net/p/whonix/wiki/Security/)
* The [Tor Project wiki](https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO)
* And the many people who contributed to discussions on [tor-talk](https://lists.torproject.org/pipermail/tor-talk/)
[stream-isolation]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/171-separate-streams.txt
[stream-isolation-explained]: https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html
[tor-threats]: https://www.torproject.org/projects/torbrowser/design/#adversary
[qubes-net]: http://wiki.qubes-os.org/trac/wiki/QubesNet
[dns]: https://tails.boum.org/todo/support_arbitrary_dns_queries/
Source of this document: [http://git.qubes-os.org/gitweb/?p=marmarek/qubes-app-linux-tor.git;a=blob;f=README.md](http://git.qubes-os.org/gitweb/?p=marmarek/qubes-app-linux-tor.git;a=blob;f=README.md)