From dcf0a1f302c7668499c963f8224420bf7e92b941 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 30 Apr 2018 10:07:59 +0000
Subject: [PATCH 1/4] add static Disposable VMs for sys-*

---
 customization/dispvm-customization.md | 36 +++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index 00ff06db..2bae0c1a 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -57,6 +57,42 @@ It is possible to change the settings for each new Disposable VM (DispVM). This
 4.  Shutdown the qube (either by `poweroff` from qube's terminal, or `qvm-shutdown` from dom0 terminal).
 
 
+### Using static Disposable VMs for sys-* ###
+
+You can use a static DispVM for `sys-*` as long as it is stateless.
+For example, a `sys-net` using DHCP or `sys-usb` will work.
+`sys-firewall` will not work unless you have no custom rules set, because per VM rules are stored in a configuration file inside that AppVM.
+To create one:
+
+~~~
+qvm-create -C DispVM -l red <sys-VMName>
+qvm-prefs <sys-VMName> virt_mode hvm
+qvm-service <sys-VMName> meminfo-writer off
+qvm-pci attach --persistent <sys-VMName> dom0:<BDF>
+qvm-prefs <sys-VMName> autostart true
+qvm-prefs <sys-VMName> netvm ''
+# optional, if this DispVM will be providing networking
+qvm-prefs <sys-VMName> provides_network true
+~~~
+
+Next, set the old `sys-` VM's autostart to false, and update any VMs that referenced the old one.
+For example, `qvm-prefs sys-firewall netvm <sys-VMName>`.
+See below for a complete example of a `sys-net` replacement:
+
+~~~
+qvm-create -C DispVM -l red sys-net2
+qvm-prefs sys-net2 virt_mode hvm
+qvm-service sys-net2 meminfo-writer off
+qvm-pci attach --persistent sys-net2 dom0:00_1a.0
+qvm-prefs sys-net2 autostart true
+qvm-prefs sys-net2 netvm ''
+qvm-prefs sys-net2 provides_network true
+qvm-prefs sys-net autostart false
+qvm-prefs sys-firewall netvm sys-net2
+~~~
+
+Note that these types of DispVMs will not show in the Application menu, but you can still get to a terminal if needed with `qvm-run <sys-VMName> gnome-terminal`.
+
 ### Adding programs to Disposable VM Application Menu ###
 
 For added convenience, arbitrary programs can be added to the Application Menu of the Disposable VM. 

From 7aec5bedfbc346d3d5eae573288e6491e8cfbb59 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 4 May 2018 10:34:02 +0000
Subject: [PATCH 2/4] add separate example for sys-firewall replacement

---
 customization/dispvm-customization.md | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index 2bae0c1a..caf7cdf9 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -61,8 +61,24 @@ It is possible to change the settings for each new Disposable VM (DispVM). This
 
 You can use a static DispVM for `sys-*` as long as it is stateless.
 For example, a `sys-net` using DHCP or `sys-usb` will work.
-`sys-firewall` will not work unless you have no custom rules set, because per VM rules are stored in a configuration file inside that AppVM.
-To create one:
+`sys-firewall` will also work unless you have custom rules set, because per VM rules are stored in a configuration file inside the firewall AppVM.
+
+To create one that has no PCI devices attached, such as for `sys-firewall`:
+
+~~~
+qvm-create -C DispVM -l red <sys-VMName>
+qvm-prefs <sys-VMName> autostart true
+qvm-prefs <sys-VMName> netvm <sys-net>
+qvm-prefs <sys-VMName> provides_network true
+~~~
+
+Next, set the old `sys-firewall` autostart to false, and update any VMs that referenced the old one to instead point to the new.
+For example, with `qvm-prefs work netvm sys-firewall2`.
+
+To create one with a PCI device attached such as for `sys-net` or `sys-usb`, use the additional commands as follows.
+
+**Note** You can use `qvm-pci` to [determine](/doc/assigning-devices/#r40) the `<BDF>`.
+Also, you will often need to include the `-o no-strict-reset=True` [option](/doc/assigning-devices/#r40-1) with USB controllers.
 
 ~~~
 qvm-create -C DispVM -l red <sys-VMName>

From b88d74c7b0ace8da7d895e43ccb43a33bed36eaa Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 4 May 2018 10:46:14 +0000
Subject: [PATCH 3/4] complete "complete example" of dispvm sys-net

---
 customization/dispvm-customization.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index caf7cdf9..7816ab88 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -72,7 +72,7 @@ qvm-prefs <sys-VMName> netvm <sys-net>
 qvm-prefs <sys-VMName> provides_network true
 ~~~
 
-Next, set the old `sys-firewall` autostart to false, and update any VMs that referenced the old one to instead point to the new.
+Next, set the old `sys-firewall` autostart to false, and update any references to the old one to instead point to the new.
 For example, with `qvm-prefs work netvm sys-firewall2`.
 
 To create one with a PCI device attached such as for `sys-net` or `sys-usb`, use the additional commands as follows.
@@ -91,7 +91,7 @@ qvm-prefs <sys-VMName> netvm ''
 qvm-prefs <sys-VMName> provides_network true
 ~~~
 
-Next, set the old `sys-` VM's autostart to false, and update any VMs that referenced the old one.
+Next, set the old `sys-` VM's autostart to false, and update any references to the old one.
 For example, `qvm-prefs sys-firewall netvm <sys-VMName>`.
 See below for a complete example of a `sys-net` replacement:
 
@@ -105,6 +105,7 @@ qvm-prefs sys-net2 netvm ''
 qvm-prefs sys-net2 provides_network true
 qvm-prefs sys-net autostart false
 qvm-prefs sys-firewall netvm sys-net2
+qubes-prefs clockvm sys-net2
 ~~~
 
 Note that these types of DispVMs will not show in the Application menu, but you can still get to a terminal if needed with `qvm-run <sys-VMName> gnome-terminal`.

From 4536d0b693fd8ed1b48bbe2d03bc60eacc6c0ec5 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 4 May 2018 11:05:28 +0000
Subject: [PATCH 4/4] clarify sys-firewall dispvm

---
 customization/dispvm-customization.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index 7816ab88..39160125 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -61,7 +61,8 @@ It is possible to change the settings for each new Disposable VM (DispVM). This
 
 You can use a static DispVM for `sys-*` as long as it is stateless.
 For example, a `sys-net` using DHCP or `sys-usb` will work.
-`sys-firewall` will also work unless you have custom rules set, because per VM rules are stored in a configuration file inside the firewall AppVM.
+In most cases `sys-firewall` will also work, even if you have configured AppVM firewall rules.
+The only exception is if you require something like VM to VM communication and have manually edited `iptables` or other items directly inside the firewall AppVM.
 
 To create one that has no PCI devices attached, such as for `sys-firewall`: