Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add note on services in Debian templates and install problems

Browse Source 
Closes QubesOS/qubes-issues/2621
This commit is contained in:
unman 2017-02-09 20:29:54 +00:00 committed by GitHub
parent 0b1eb1bb5e
commit 22cf2e0837
1 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
managing-os/templates/debian.md
View File

@ -12,9 +12,9 @@ redirect_from:
Debian template(s)
===============
If you like to use Debian Linux distribution in your AppVMs, you can install one of available Debian templates.
If you would like to use Debian Linux distribution in your qubes, you can install one of the available Debian templates.
Updates for this template are provided by ITL and are signed by this key:
Updates for these templates are provided by ITL and are signed by this key:
pub 4096R/47FD92FA 2014-07-27
Key fingerprint = 2D43 E932 54EE EA7C B31B 6A77 5E58 18AB 47FD 92FA
@ -28,7 +28,7 @@ which is also integrity-protected using signed git tags.
Install
-------
It can be installed via the following command:
Templates can be installed with the following command:
Debian 7 (wheezy) - old stable:
@ -54,6 +54,42 @@ reboot should "just work."
Known issues
------------
###Starting services
The Debian way (generally) is to start daemons if they are installed.
This means that if you install (say) ssh-server in a template, *all* the qubes that use that template will run a ssh server when they start. (They will, naturally, all have the same server key.) This may not be what you want.
So be very careful when installing software in Templates - if the daemon spawns outbound connections then there is a serious security risk.
In general, a reasonable approach would be, (using ssh as example):
- Install the ssh service.
- systemctl stop ssh
- systemctl disable ssh
- systemctl mask ssh
- Close down template
Now the ssh service will **NOT** start in qubes based on this template.
Where you **DO** want the service to run, put this in /rw/config/rc.local:
systemctl unmask ssh
systemctl start ssh
Don't forget to make the file executable.
###Unattended Upgrades
Some users have noticed that on upgrading to Stretch, the unattended-upgrade package is installed.
This package is pulled in as part of a Recommend chain, and can be purged.
The lesson is that you should carefully look at what is being installed to your system, particularly if you run dist-upgrade.
###Contributing
If you want to help in improving the template, feel free to [contribute](/wiki/ContributingHowto).
More information