mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-01-12 07:49:29 -05:00
parent
c07ee61ed8
commit
63498a6c17
@ -77,7 +77,7 @@ Note that you must create the full folder structure under `/rw/bind-dirs` - e.g
|
||||
|
||||
## Limitations ##
|
||||
|
||||
* Files that exist in the TemplateVM root image cannot be deleted in the app qubes root image using bind-dirs.sh.
|
||||
* Files that exist in the template root image cannot be deleted in the app qubes root image using bind-dirs.sh.
|
||||
* Re-running `sudo /usr/lib/qubes/init/bind-dirs.sh` without a previous `sudo /usr/lib/qubes/init/bind-dirs.sh umount` does not work.
|
||||
* Running `sudo /usr/lib/qubes/init/bind-dirs.sh umount` after boot (before shutdown) is probably not sane and nothing can be done about that.
|
||||
* Many editors create a temporary file and copy it over the original file. If you have bind mounted an individual file this will break the mount.
|
||||
|
@ -38,7 +38,7 @@ If a disposable template becomes compromised, then any disposable based on that
|
||||
Therefore, you should not make any risky customizations (e.g., installing untrusted browser plugins) in important disposable templates.
|
||||
In particular, the *default* disposable template is important because it is used by the "Open in disposable" feature.
|
||||
This means that it will have access to everything that you open with this feature.
|
||||
For this reason, it is strongly recommended that you base the default disposable template on a trusted TemplateVM and refrain from making any risky customizations to it.
|
||||
For this reason, it is strongly recommended that you base the default disposable template on a trusted template and refrain from making any risky customizations to it.
|
||||
|
||||
## Creating a new disposable template
|
||||
|
||||
@ -59,7 +59,7 @@ Additionally you may want to set it as default disposable template:
|
||||
|
||||
The above default is used whenever a qube request starting a new disposable and do not specify which one (for example `qvm-open-in-dvm` tool). This can be also set in qube settings and will affect service calls from that qube. See [qrexec documentation](/doc/qrexec/#specifying-vms-tags-types-targets-etc) for details.
|
||||
|
||||
If you wish to use a [Minimal TemplateVM](/doc/templates/minimal/) as a disposable template, please see the [Minimal TemplateVM](/doc/templates/minimal/) page.
|
||||
If you wish to use a [Minimal Template](/doc/templates/minimal/) as a disposable template, please see the [Minimal Template](/doc/templates/minimal/) page.
|
||||
|
||||
## Customization of disposable
|
||||
|
||||
|
@ -31,7 +31,7 @@ This separation of duties significantly reduces the attack surface, since all of
|
||||
Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable.
|
||||
For example, there is nothing that the Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in the cryptographic signature verification operation.
|
||||
At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack.
|
||||
While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular TemplateVM distro's updates, and this would be far too costly for us to maintain.
|
||||
While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular template distro's updates, and this would be far too costly for us to maintain.
|
||||
|
||||
## How to update dom0
|
||||
|
||||
|
@ -35,8 +35,8 @@ In a Debian-based template, use `apt`:
|
||||
sudo apt update && sudo apt install qubes-repo-contrib
|
||||
```
|
||||
|
||||
The new repository definition will be in the usual location for your distro, and it will follow the naming pattern `qubes-contrib-*`, depending on your Qubes release and whether it is in dom0 or a TemplateVM.
|
||||
For example, in a Fedora TemplateVM on Qubes 4.0, the new repository definition would be:
|
||||
The new repository definition will be in the usual location for your distro, and it will follow the naming pattern `qubes-contrib-*`, depending on your Qubes release and whether it is in dom0 or a template.
|
||||
For example, in a Fedora template on Qubes 4.0, the new repository definition would be:
|
||||
|
||||
```
|
||||
/etc/yum.repos.d/qubes-contrib-vm-r4.0.repo
|
||||
|
@ -278,7 +278,7 @@ Booting to a kernel inside the template is not supported under `PVH`.
|
||||
|
||||
#### Distribution kernel
|
||||
|
||||
Apply the following instruction in a Debian TemplateVM or in a Debian StandaloneVM.
|
||||
Apply the following instruction in a Debian template or in a Debian StandaloneVM.
|
||||
|
||||
Using a distribution kernel package the initramfs and kernel modules should be handled automatically.
|
||||
|
||||
|
@ -77,7 +77,7 @@ Mounting the disk
|
||||
| ----------------------------- | ----------------- | ------------------------------------------- |
|
||||
| other\_install/root | dom0 root | The root partition of dom0. |
|
||||
| other\_install/<vm>-private | VM | The /rw partition of the named VM. |
|
||||
| other\_install/<vm>-root | templateVM root | The root partition of the named TemplateVM. |
|
||||
| other\_install/<vm>-root | template root | The root partition of the named template. |
|
||||
| other\_install/pool00\_tmeta | LVM Metadata | The metadata LV of this disk. |
|
||||
|
||||
6. Mount the disk using the command `mount /dev/other_install/<lv name> <mountpoint>`.
|
||||
|
@ -244,7 +244,7 @@ optional arguments:
|
||||
--targets TARGETS Coma separated list of VMs to target
|
||||
--templates Target all templates
|
||||
--app Target all app qubes
|
||||
--all Target all non-disposables (TemplateVMs and app qubes)
|
||||
--all Target all non-disposables (templates and app qubes)
|
||||
```
|
||||
|
||||
To apply a state to all templates, call `qubesctl --templates state.highstate`.
|
||||
@ -263,14 +263,14 @@ Beginning with Qubes 4.0 and after [QSB #45](/news/2018/12/03/qsb-45/), we imple
|
||||
1. Added the `management_dispvm` VM property, which specifies the disposable
|
||||
Template that should be used for management, such as Salt
|
||||
configuration. App qubes inherit this property from their
|
||||
parent TemplateVMs. If the value is not set explicitly, the default
|
||||
parent templates. If the value is not set explicitly, the default
|
||||
is taken from the global `management_dispvm` property. The
|
||||
VM-specific property is set with the `qvm-prefs` command, while the
|
||||
global property is set with the `qubes-prefs` command.
|
||||
|
||||
2. Created the `default-mgmt-dvm` disposable template, which is hidden from
|
||||
the menu (to avoid accidental use), has networking disabled, and has
|
||||
a black label (the same as TemplateVMs). This VM is set as the global
|
||||
a black label (the same as templates). This VM is set as the global
|
||||
`management_dispvm`. Keep in mind that this disposable template has full control
|
||||
over the VMs it's used to manage.
|
||||
|
||||
@ -420,7 +420,7 @@ The default settings can be overridden in the pillar data located in:
|
||||
```
|
||||
|
||||
In dom0, you can apply a single state with `sudo qubesctl state.sls STATE_NAME`.
|
||||
For example, `sudo qubesctl state.sls qvm.personal` will create a `personal` VM (if it does not already exist) with all its dependencies (TemplateVM, `sys-firewall`, and `sys-net`).
|
||||
For example, `sudo qubesctl state.sls qvm.personal` will create a `personal` VM (if it does not already exist) with all its dependencies (template, `sys-firewall`, and `sys-net`).
|
||||
|
||||
### Available states
|
||||
|
||||
@ -483,27 +483,27 @@ Setup UpdatesProxy to route all templates updates through Tor (sys-whonix here).
|
||||
|
||||
#### `qvm.template-fedora-21`
|
||||
|
||||
Fedora-21 TemplateVM
|
||||
Fedora-21 template
|
||||
|
||||
#### `qvm.template-fedora-21-minimal`
|
||||
|
||||
Fedora-21 minimal TemplateVM
|
||||
Fedora-21 minimal template
|
||||
|
||||
#### `qvm.template-debian-7`
|
||||
|
||||
Debian 7 (wheezy) TemplateVM
|
||||
Debian 7 (wheezy) template
|
||||
|
||||
#### `qvm.template-debian-8`
|
||||
|
||||
Debian 8 (jessie) TemplateVM
|
||||
Debian 8 (jessie) template
|
||||
|
||||
#### `qvm.template-whonix-gw`
|
||||
|
||||
Whonix Gateway TemplateVM
|
||||
Whonix Gateway template
|
||||
|
||||
#### `qvm.template-whonix-ws`
|
||||
|
||||
Whonix Workstation TemplateVM
|
||||
Whonix Workstation template
|
||||
|
||||
#### `update.qubes-dom0`
|
||||
|
||||
@ -515,7 +515,7 @@ $ sudo qubesctl --show-output state.sls update.qubes-dom0
|
||||
|
||||
#### `update.qubes-vm`
|
||||
|
||||
Updates domUs. Example to update all TemplateVMs (executed in dom0):
|
||||
Updates domUs. Example to update all templates (executed in dom0):
|
||||
|
||||
```
|
||||
$ sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
|
||||
@ -543,7 +543,7 @@ Additional pillar data is available to ease targeting configurations (for exampl
|
||||
VM type. Possible values:
|
||||
|
||||
- `admin` - Administration domain (`dom0`)
|
||||
- `template` - Template VM
|
||||
- `template` - template
|
||||
- `standalone` - Standalone VM
|
||||
- `app` - Template based app qube
|
||||
|
||||
|
@ -13,8 +13,8 @@ title: StandaloneVMs and HVMs
|
||||
---
|
||||
|
||||
|
||||
A [StandaloneVM](/doc/glossary/#standalonevm) is a type of VM in Qubes that is created by cloning a [TemplateVM](/doc/templates/).
|
||||
Unlike TemplateVMs, however, StandaloneVMs do not supply their root filesystems to other VMs.
|
||||
A [StandaloneVM](/doc/glossary/#standalonevm) is a type of VM in Qubes that is created by cloning a [template](/doc/templates/).
|
||||
Unlike templates, however, StandaloneVMs do not supply their root filesystems to other VMs.
|
||||
Examples of situations in which StandaloneVMs can be useful include:
|
||||
|
||||
- VMs used for development (dev environments often require a lot of specific packages and tools)
|
||||
@ -31,7 +31,7 @@ You can also use HVMs to run "live" distros.
|
||||
By default, every Qubes VM runs in [PVH](/doc/glossary/#pvhvm) mode (which has security advantages over both PV and HVM) except for those with attached PCI devices, which run in HVM mode.
|
||||
See [here](https://blog.invisiblethings.org/2017/07/31/qubes-40-rc1.html) for a discussion of the switch from PV to HVM and [here](/news/2018/01/11/qsb-37/) for the announcement about the change to using PVH as default.
|
||||
|
||||
The StandaloneVM/TemplateVM distinction and the HVM/PV/PVH distinctions are orthogonal.
|
||||
The StandaloneVM/template distinction and the HVM/PV/PVH distinctions are orthogonal.
|
||||
The former is about root filesystem inheritance, whereas the latter is about the virtualization mode.
|
||||
In practice, however, it is most common for StandaloneVMs to be HVMs and for HVMs to be StandaloneVMs.
|
||||
In fact, this is so common that [StandaloneHVMs](/doc/glossary/#standalonehvm) are typically just called "HVMs."
|
||||
@ -130,7 +130,7 @@ There is [opt-in support](/doc/networking/#ipv6) for IPv6 forwarding.
|
||||
|
||||
## Using TemplateBasedHVMs
|
||||
|
||||
Qubes allows HVMs to share a common root filesystem from a select TemplateVM (see [TemplateHVM](/doc/glossary/#templatehvm) and [TemplateBasedHVM](/doc/glossary/#templatebasedhvm)).
|
||||
Qubes allows HVMs to share a common root filesystem from a select template (see [TemplateHVM](/doc/glossary/#templatehvm) and [TemplateBasedHVM](/doc/glossary/#templatebasedhvm)).
|
||||
This mode can be used for any HVM (e.g. FreeBSD running in a HVM).
|
||||
|
||||
In order to create a TemplateHVM you use the following command, suitably adapted:
|
||||
|
@ -216,7 +216,7 @@ Two options are available:
|
||||
Whonix lets you route some or all of your network traffic through Tor for greater privacy.
|
||||
Depending on your threat model, you may need to install Whonix templates right away.
|
||||
|
||||
Regardless of your choices on this screen, you will always be able to install these and other [TemplateVMs](/doc/templates/) later.
|
||||
Regardless of your choices on this screen, you will always be able to install these and other [templates](/doc/templates/) later.
|
||||
If you're short on disk space, you may wish to deselect these options.
|
||||
|
||||
By default, Qubes OS comes preinstalled with the lightweight Xfce4 desktop environment.
|
||||
@ -325,7 +325,7 @@ Let's briefly go over the options:
|
||||
* **Create Whonix Gateway and Workstation qubes:**
|
||||
If you want to use Whonix, you should select this option.
|
||||
* **Enabling system and template updates over the Tor anonymity network using Whonix:**
|
||||
If you select this option, then whenever you install or update software in dom0 or a TemplateVM, the internet traffic will go through Tor.
|
||||
If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
|
||||
* **Create USB qube holding all USB controllers:**
|
||||
Just like the network qube for the network stack, the USB qube isolates the USB controllers.
|
||||
* **Use sys-net qube for both networking and USB devices:**
|
||||
@ -360,7 +360,7 @@ It is important to make sure that you receive all QSBs in a timely manner so tha
|
||||
(While [updating](#updating) will handle most security needs, there may be cases in which additional action from you is required.)
|
||||
For this reason, we strongly recommend that every Qubes user subscribe to the [qubes-announce](/support/#qubes-announce) mailing list.
|
||||
|
||||
In addition to QSBs, the Qubes OS Project also publishes [Canaries](/security/canaries/), XSA summaries, TemplateVM releases and end-of-life notices, and other items of interest to Qubes users.
|
||||
In addition to QSBs, the Qubes OS Project also publishes [Canaries](/security/canaries/), XSA summaries, template releases and end-of-life notices, and other items of interest to Qubes users.
|
||||
Since these are not essential for all Qubes users to read, they are not sent to [qubes-announce](/support/#qubes-announce) in order to keep the volume on that list low.
|
||||
However, we expect that most users, especially novice users, will find them helpful.
|
||||
If you are interested in these additional items, we encourage you to subscribe to the [Qubes News RSS feed](/feed.xml) or join one of our other [venues](/support/), where these news items are also announced.
|
||||
|
@ -53,12 +53,12 @@ Dom0 is isolated from domUs. DomUs can access only a few interfaces, such as Xen
|
||||
These components are [security-critical](/doc/security-critical-code/), and we provide updates for all of them (when necessary), regardless of the support status of the base distribution.
|
||||
For this reason, we consider it safe to continue using a given base distribution in dom0 even after it has reached end-of-life (EOL).
|
||||
|
||||
## TemplateVMs
|
||||
## Templates
|
||||
|
||||
The following table shows select [TemplateVM](/doc/templates/) versions that are currently supported.
|
||||
Currently, only [Fedora](/doc/templates/fedora/) and [Debian](/doc/templates/debian/) TemplateVMs are officially supported by the Qubes OS Project.
|
||||
[Whonix](/doc/whonix/) TemplateVMs are supported by our partner, the [Whonix Project](https://www.whonix.org/).
|
||||
Qubes support for each TemplateVM ends when that upstream release reaches end-of-life (EOL).
|
||||
The following table shows select [template](/doc/templates/) versions that are currently supported.
|
||||
Currently, only [Fedora](/doc/templates/fedora/) and [Debian](/doc/templates/debian/) templates are officially supported by the Qubes OS Project.
|
||||
[Whonix](/doc/whonix/) templates are supported by our partner, the [Whonix Project](https://www.whonix.org/).
|
||||
Qubes support for each template ends when that upstream release reaches end-of-life (EOL).
|
||||
Please see below for distribution-specific notes.
|
||||
|
||||
It is the responsibility of each distribution to clearly notify its users in advance of its own EOL dates, and it is users' responsibility to heed these notices by upgrading to supported releases.
|
||||
@ -83,17 +83,17 @@ Qubes support ends at the *regular* EOL date, *not* the LTS EOL date, unless a s
|
||||
|
||||
### Note on Whonix support
|
||||
|
||||
[Whonix](/doc/whonix/) TemplateVMs are supported by our partner, the [Whonix Project](https://www.whonix.org/).
|
||||
The Whonix Project has set its own support policy for Whonix TemplateVMs in Qubes.
|
||||
[Whonix](/doc/whonix/) templates are supported by our partner, the [Whonix Project](https://www.whonix.org/).
|
||||
The Whonix Project has set its own support policy for Whonix templates in Qubes.
|
||||
|
||||
This policy requires Whonix TemplateVM users to stay reasonably close to the cutting edge by upgrading to new stable versions of Qubes OS and Whonix TemplateVMs within a month of their respective releases.
|
||||
This policy requires Whonix template users to stay reasonably close to the cutting edge by upgrading to new stable versions of Qubes OS and Whonix templates within a month of their respective releases.
|
||||
To be precise:
|
||||
|
||||
* One month after a new stable version of Qubes OS is released, Whonix TemplateVMs will no longer be supported on any older version of Qubes OS.
|
||||
This means that users who wish to continue using Whonix TemplateVMs on Qubes must always upgrade to the latest stable Qubes OS version within one month of its release.
|
||||
* One month after a new stable version of Qubes OS is released, Whonix templates will no longer be supported on any older version of Qubes OS.
|
||||
This means that users who wish to continue using Whonix templates on Qubes must always upgrade to the latest stable Qubes OS version within one month of its release.
|
||||
|
||||
* One month after new stable versions of Whonix TemplateVMs are released, older versions of Whonix TemplateVMs will no longer be supported.
|
||||
This means that users who wish to continue using Whonix TemplateVMs on Qubes must always upgrade to the latest stable Whonix TemplateVM versions within one month of their release.
|
||||
* One month after new stable versions of Whonix templates are released, older versions of Whonix templates will no longer be supported.
|
||||
This means that users who wish to continue using Whonix templates on Qubes must always upgrade to the latest stable Whonix template versions within one month of their release.
|
||||
|
||||
We aim to announce both types of events one month in advance in order to remind users to upgrade.
|
||||
|
||||
|
@ -36,7 +36,7 @@ Updates
|
||||
How to test updates:
|
||||
|
||||
* Enable [dom0 testing repositories](/doc/how-to-install-software-in-dom0/#testing-repositories).
|
||||
* Enable [TemplateVM testing repositories](/doc/how-to-install-software/#testing-repositories).
|
||||
* Enable [template testing repositories](/doc/how-to-install-software/#testing-repositories).
|
||||
|
||||
Every new update is first uploaded to the `security-testing` repository if it is a security update or `current-testing` if it is a normal update.
|
||||
The update remains in `security-testing` or `current-testing` for a minimum of one week.
|
||||
|
@ -23,9 +23,9 @@ Upgrade Template and Standalone VM(s)
|
||||
|
||||
- **It also possible to download a new Fedora 20-based template from our repositories**. To do this please first upgrade the Dom0 distro as described in the section below.
|
||||
|
||||
While technically it is possible to use old Fedora 18 template on R2, it is strongly recommended to upgrade all the Template VMs and Standalone VMs, because Fedora 18 no longer receive security updates.
|
||||
While technically it is possible to use old Fedora 18 template on R2, it is strongly recommended to upgrade all the templates and Standalone VMs, because Fedora 18 no longer receive security updates.
|
||||
|
||||
By default, in Qubes R2, there is only one Template VM, however users are free to create more Template VMs for special purposes, as well as Standalone VMs. If more than one template and/or Standalone VMs are used, then it is recommended to upgrade/replace all of them. More information on using multiple Template VMs, as well as Standalone VMs, can be found [here](/doc/software-update-vm/).
|
||||
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. If more than one template and/or Standalone VMs are used, then it is recommended to upgrade/replace all of them. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/software-update-vm/).
|
||||
|
||||
Upgrading dom0
|
||||
--------------
|
||||
|
@ -20,9 +20,9 @@ Existing users of Qubes R1 (but not R1 betas!) can upgrade their systems to the
|
||||
Upgrade all Template and Standalone VM(s)
|
||||
-----------------------------------------
|
||||
|
||||
By default, in Qubes R1, there is only one Template VM, however users are free to create more Template VMs for special purposes, as well as Standalone VMs. More information on using multiple Template VMs, as well as Standalone VMs, can be found [here](/doc/templates/) and [here](/doc/standalone-and-hvm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
|
||||
By default, in Qubes R1, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/templates/) and [here](/doc/standalone-and-hvm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
|
||||
|
||||
1. Open terminal in the template VM (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
2. Install `qubes-upgrade-vm` package (this package brings in R2 repo definitions and R2 keys)
|
||||
|
||||
~~~
|
||||
@ -46,7 +46,7 @@ By default, in Qubes R1, there is only one Template VM, however users are free t
|
||||
Is this ok [y/N]:
|
||||
~~~
|
||||
|
||||
If you see (as is the case on the "screenshot" above) that the new key was imported from a local filesystem (`/etc/pki/rpm-gpg/...`) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your Template VM's filesystem:
|
||||
If you see (as is the case on the "screenshot" above) that the new key was imported from a local filesystem (`/etc/pki/rpm-gpg/...`) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your template's filesystem:
|
||||
|
||||
- via a legitimate RPM package previously installed (in our case it was the `qubes-upgrade-vm` RPM). Such an RPM must have been signed by one of the keys you decided to trust previously, by default this would be either via the Qubes R1 signing key, or Fedora 17 signing key.
|
||||
- via system compromise or via some illegal RPM package (e.g. Fedora released package pretending to bring new Firefox). In that case, however, your VM is already compromised, and it careful checking of the new R2 key would not change this situation to any better one. The game is lost for this VM anyway (and all VMs based on this template).
|
||||
|
@ -18,9 +18,9 @@ Upgrade all Template and Standalone VM(s)
|
||||
|
||||
**If you have already R2 Beta1 installed, follow standard template update procedure (e.g. "Update VM" button in Qubes Manager) and skip the rest of this section**
|
||||
|
||||
By default, in Qubes R1, there is only one Template VM, however users are free to create more Template VMs for special purposes, as well as Standalone VMs. More information on using multiple Template VMs, as well as Standalone VMs, can be found [here](/doc/templates/) and [here](/doc/standalone-and-hvm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
|
||||
By default, in Qubes R1, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/templates/) and [here](/doc/standalone-and-hvm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
|
||||
|
||||
1. Open terminal in the template VM (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
2. Install `qubes-upgrade-vm` package (this package brings in R2 repo definitions and R2 keys)
|
||||
|
||||
~~~
|
||||
@ -44,7 +44,7 @@ By default, in Qubes R1, there is only one Template VM, however users are free t
|
||||
Is this ok [y/N]:
|
||||
~~~
|
||||
|
||||
If you see (as is the case on the "screenshot" above) that the new key was imported from a local filesystem (`/etc/pki/rpm-gpg/...`) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your Template VM's filesystem:
|
||||
If you see (as is the case on the "screenshot" above) that the new key was imported from a local filesystem (`/etc/pki/rpm-gpg/...`) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your template's filesystem:
|
||||
|
||||
- via a legitimate RPM package previously installed (in our case it was the `qubes-upgrade-vm` RPM). Such an RPM must have been signed by one of the keys you decided to trust previously, by default this would be either via the Qubes R1 signing key, or Fedora 17 signing key.
|
||||
- via system compromise or via some illegal RPM package (e.g. Fedora released package pretending to bring new Firefox). In that case, however, your VM is already compromised, and it careful checking of the new R2 key would not change this situation to any better one. The game is lost for this VM anyway (and all VMs based on this template).
|
||||
|
@ -20,11 +20,11 @@ Experienced users may be comfortable accepting the risks of upgrading in-place.
|
||||
Upgrade all Template and Standalone VM(s)
|
||||
-----------------------------------------
|
||||
|
||||
By default, in Qubes R2, there is only one Template VM, however users are free to create more Template VMs for special purposes, as well as Standalone VMs. More information on using multiple Template VMs, as well as Standalone VMs, can be found [here](/doc/software-update-vm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
|
||||
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/software-update-vm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
|
||||
|
||||
It is critical to complete this step **before** proceeding to dom0 upgrade. Otherwise you will most likely ends with unusable system.
|
||||
|
||||
1. Open terminal in the template VM (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
2. Proceed with normal update in the template:
|
||||
|
||||
~~~
|
||||
|
@ -21,13 +21,13 @@ Experienced users may be comfortable accepting the risks of upgrading in-place.
|
||||
|
||||
## Upgrade all Template and Standalone VM(s)
|
||||
|
||||
By default, in Qubes R2, there is only one Template VM, however users are free to create more Template VMs for special purposes, as well as Standalone VMs. More information on using multiple Template VMs, as well as Standalone VMs, can be found [here](/doc/software-update-vm/). The steps described in this section should be repeated in **all** user's Template and Standalone VMs.
|
||||
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/software-update-vm/). The steps described in this section should be repeated in **all** user's Template and Standalone VMs.
|
||||
|
||||
It is critical to complete this step **before** proceeding to dom0 upgrade. Otherwise you will most likely end with unusable system.
|
||||
|
||||
### Upgrade Fedora template:
|
||||
|
||||
1. Open terminal in the template VM (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
2. Install `qubes-upgrade-vm` package:
|
||||
|
||||
```
|
||||
@ -42,11 +42,11 @@ It is critical to complete this step **before** proceeding to dom0 upgrade. Othe
|
||||
|
||||
You'll need to accept "Qubes Release 3 Signing Key" - it is delivered by signed qubes-upgrade-vm package (verify that the message is about local file), so you don't need to manually verify it.
|
||||
|
||||
4. Shutdown the template VM.
|
||||
4. Shutdown the template.
|
||||
|
||||
### Upgrade Debian template:
|
||||
|
||||
1. Open terminal in the template VM (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
|
||||
2. Update repository definition:
|
||||
|
||||
```
|
||||
@ -68,7 +68,7 @@ It is critical to complete this step **before** proceeding to dom0 upgrade. Othe
|
||||
(after 3min timeout), but you can ignore this problem for now. After
|
||||
completing the whole upgrade the service will be properly restarted.
|
||||
|
||||
4. Shutdown the template VM.
|
||||
4. Shutdown the template.
|
||||
|
||||
## Upgrading dom0
|
||||
|
||||
@ -137,7 +137,7 @@ Because of above limitations, you will need to configure some of those manually.
|
||||
|
||||
```shell_session
|
||||
[user@dom0 ~]$ qvm-start custom-template
|
||||
--> Loading the VM (type = TemplateVM)...
|
||||
--> Loading the VM (type = template)...
|
||||
--> Starting Qubes DB...
|
||||
--> Setting Qubes DB info for the VM...
|
||||
--> Updating firewall rules...
|
||||
|
@ -19,15 +19,15 @@ by following the procedure below.
|
||||
|
||||
## Upgrade all Template and Standalone VM(s)
|
||||
|
||||
By default, in Qubes R3.0, there is only one TemplateVM. However, users are
|
||||
free to create more TemplateVMs for special purposes, as well as StandaloneVMs.
|
||||
More information on using multiple TemplateVMs, as well as StandaloneVMs, can be
|
||||
By default, in Qubes R3.0, there is only one template. However, users are
|
||||
free to create more templates for special purposes, as well as StandaloneVMs.
|
||||
More information on using multiple templates, as well as StandaloneVMs, can be
|
||||
found [here](/doc/software-update-vm/). The steps described in this
|
||||
section should be repeated in **all** the user's Template and Standalone VMs.
|
||||
|
||||
### Upgrade Fedora templates:
|
||||
|
||||
1. Open a terminal in the TemplateVM (or StandaloneVM). (E.g., use Qubes VM
|
||||
1. Open a terminal in the template (or StandaloneVM). (E.g., use Qubes VM
|
||||
Manager's right-click menu, choose "Run Command in VM," and type
|
||||
`gnome-terminal` there.)
|
||||
|
||||
@ -43,11 +43,11 @@ section should be repeated in **all** the user's Template and Standalone VMs.
|
||||
sudo yum upgrade
|
||||
```
|
||||
|
||||
4. Shut down the template VM.
|
||||
4. Shut down the template.
|
||||
|
||||
### Upgrade Debian (and Whonix) templates:
|
||||
|
||||
1. Open a terminal in the TemplateVM (or StandaloneVM). (E.g., use Qubes VM
|
||||
1. Open a terminal in the template (or StandaloneVM). (E.g., use Qubes VM
|
||||
Manager's right-click menu, choose "Run Command in VM," and type
|
||||
`gnome-terminal` there.)
|
||||
|
||||
@ -71,7 +71,7 @@ section should be repeated in **all** the user's Template and Standalone VMs.
|
||||
sudo rm -f /etc/apt/sources.list.d/qubes-r3-upgrade.list
|
||||
```
|
||||
|
||||
5. Shut down the template VM.
|
||||
5. Shut down the template.
|
||||
|
||||
## Upgrading dom0
|
||||
|
||||
|
@ -114,9 +114,9 @@ your favorite desktop environment and continue.
|
||||
|
||||
## Upgrade all Template and Standalone VM(s)
|
||||
|
||||
By default, in Qubes R3.1, there are few TemplateVMs and no StandaloneVMs.
|
||||
By default, in Qubes R3.1, there are few templates and no StandaloneVMs.
|
||||
However, users are free to create StandaloneVMs More information on using
|
||||
multiple TemplateVMs, as well as StandaloneVMs, can be found
|
||||
multiple templates, as well as StandaloneVMs, can be found
|
||||
[here](/doc/software-update-vm/). The steps described in this section should be
|
||||
repeated in **all** the user's Template and Standalone VMs.
|
||||
|
||||
@ -127,7 +127,7 @@ repeated in **all** the user's Template and Standalone VMs.
|
||||
In order to do that, please see the
|
||||
[Fedora 23 template upgrade instructions](/doc/templates/fedora/#upgrading).
|
||||
|
||||
1. Open a terminal in the TemplateVM (or StandaloneVM). (E.g., use Qubes VM
|
||||
1. Open a terminal in the template (or StandaloneVM). (E.g., use Qubes VM
|
||||
Manager's right-click menu, choose "Run Command in VM," and type
|
||||
`gnome-terminal` there.)
|
||||
|
||||
@ -149,11 +149,11 @@ In order to do that, please see the
|
||||
sudo dnf install qubes-mgmt-salt-vm-connector
|
||||
```
|
||||
|
||||
5. Shut down the template VM.
|
||||
5. Shut down the template.
|
||||
|
||||
### Upgrade Debian (and Whonix) templates:
|
||||
|
||||
1. Open a terminal in the TemplateVM (or StandaloneVM). (E.g., use Qubes VM
|
||||
1. Open a terminal in the template (or StandaloneVM). (E.g., use Qubes VM
|
||||
Manager's right-click menu, choose "Run Command in VM," and type
|
||||
`gnome-terminal` there.)
|
||||
|
||||
@ -183,4 +183,4 @@ In order to do that, please see the
|
||||
sudo rm -f /etc/apt/sources.list.d/qubes-r3-upgrade.list
|
||||
```
|
||||
|
||||
6. Shut down the template VM.
|
||||
6. Shut down the template.
|
||||
|
@ -83,9 +83,9 @@ Restore from your backup
|
||||
|
||||
5. Follow the **Restoring from a Backup** section in the [Backup, Restoration, and Migration](/doc/backup-restore/) guide.
|
||||
We recommend that you restore only your [app qubes](/doc/glossary/#app-qube) and [StandaloneVMs](/doc/glossary/#standalonevm) from R3.2.
|
||||
Using [TemplateVMs](/doc/templates/) and [SystemVMs](/doc/glossary/#systemvm) from R3.2 is not fully supported (see [#3514](https://github.com/QubesOS/qubes-issues/issues/3514)).
|
||||
Instead, we recommend using the TemplateVMs that were created specifically for R4.0, which you can [customize](/doc/software-update-vm/) according to your needs.
|
||||
For the TemplateVM OS versions supported in R4.0, see [Supported Versions](/doc/supported-versions/#templatevms).
|
||||
Using [templates](/doc/templates/) and [SystemVMs](/doc/glossary/#systemvm) from R3.2 is not fully supported (see [#3514](https://github.com/QubesOS/qubes-issues/issues/3514)).
|
||||
Instead, we recommend using the templates that were created specifically for R4.0, which you can [customize](/doc/software-update-vm/) according to your needs.
|
||||
For the template OS versions supported in R4.0, see [Supported Versions](/doc/supported-versions/#templates).
|
||||
If the restore tool complains about missing templates, you can select the option to restore the app qubes anyway, then change them afterward to use one of the default R4.0 templates.
|
||||
|
||||
Note about additional disp-* qubes created during restore
|
||||
@ -109,11 +109,11 @@ Both Qubes Manager and the `qvm-remove` tool will show you where a disposable te
|
||||
Upgrade all Template and Standalone VM(s)
|
||||
-----------------------------------------
|
||||
|
||||
We strongly recommend that you update **all** TemplateVMs and StandaloneVMs before use so that you have the latest security patches from upstream distributions.
|
||||
We strongly recommend that you update **all** templates and StandaloneVMs before use so that you have the latest security patches from upstream distributions.
|
||||
In addition, if the default templates have reached EOL (end-of-life) by the time you install R4.0, we strongly recommend that you upgrade them before use.
|
||||
Please see [Supported Versions](/doc/supported-versions/) for information on supported OS versions and consult the guides below for specific upgrade instructions:
|
||||
|
||||
* [Upgrading Fedora TemplateVMs](/doc/templates/fedora/#upgrading)
|
||||
* [Upgrading Debian TemplateVMs](/doc/templates/debian/#upgrading)
|
||||
* [Updating Whonix TemplateVMs](https://www.whonix.org/wiki/Qubes/Update)
|
||||
* [Upgrading Fedora templates](/doc/templates/fedora/#upgrading)
|
||||
* [Upgrading Debian templates](/doc/templates/debian/#upgrading)
|
||||
* [Updating Whonix templates](https://www.whonix.org/wiki/Qubes/Update)
|
||||
|
||||
|
@ -103,7 +103,7 @@ This brings up the **Qubes Restore VMs** window.
|
||||
Once you've located the backup file, double-click it or select it and hit **OK**.
|
||||
|
||||
3. There are three options you may select when restoring from a backup:
|
||||
1. **ignore missing templates and net VMs**: If any of the VMs in your backup depended upon a NetVM or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway and set them to use the default NetVM and system default template.
|
||||
1. **ignore missing templates and net VMs**: If any of the VMs in your backup depended upon a NetVM or template that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway and set them to use the default NetVM and system default template.
|
||||
2. **ignore username mismatch**: This option applies only to the restoration of dom0's home directory.
|
||||
If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
|
||||
3. **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data.
|
||||
|
@ -156,15 +156,15 @@ This is like the simple revert, except:
|
||||
### Temporarily allowing networking for software installation
|
||||
|
||||
Some third-party applications cannot be installed using the standard repositories and need to be manually downloaded and installed.
|
||||
When the installation requires internet connection to access third-party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections from package managers.
|
||||
When the installation requires internet connection to access third-party repositories, it will naturally fail when run in a template because the default firewall rules for templates only allow connections from package managers.
|
||||
So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template.
|
||||
As soon as software installation is completed, firewall rules should be returned back to the default state.
|
||||
The user should decide by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
|
||||
The user should decide by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default template, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
|
||||
|
||||
### Updates proxy
|
||||
|
||||
Updates proxy is a service which allows access only from package managers.
|
||||
This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation.
|
||||
This is meant to mitigate user errors (like using browser in the template), rather than some real isolation.
|
||||
It is done with http proxy (tinyproxy) instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date).
|
||||
The proxy is used only to filter the traffic, not to cache anything.
|
||||
|
||||
@ -196,7 +196,7 @@ Example policy file in R4.0 (with Whonix installed, but not set as default Updat
|
||||
@tag:whonix-updatevm @anyvm deny
|
||||
|
||||
# other templates use sys-net
|
||||
@type:TemplateVM @default allow,target=sys-net
|
||||
@type:template @default allow,target=sys-net
|
||||
@anyvm @anyvm deny
|
||||
```
|
||||
|
||||
|
@ -33,7 +33,7 @@ It is important to keep your Qubes OS system up-to-date to ensure you have the l
|
||||
Fully updating your Qubes OS system means updating:
|
||||
|
||||
- [Dom0](/doc/how-to-install-software-in-dom0/)
|
||||
- [TemplateVMs](/doc/how-to-install-software/#updating-software-in-templatevms)
|
||||
- [templates](/doc/how-to-install-software/#updating-software-in-templates)
|
||||
- [StandaloneVMs](/doc/how-to-install-software/#standalonevms) (if you have any)
|
||||
|
||||
You can accomplish this using the **Qubes Update** tool.
|
||||
@ -56,18 +56,18 @@ Even if no updates have been detected, you can use this tool to check for update
|
||||
|
||||
The above covers updating *within* a given operating system release.
|
||||
Eventually, however, most operating system releases will reach [end-of-life (EOL)](https://fedoraproject.org/wiki/End_of_life), after which point they will no longer be supported.
|
||||
This applies to [Qubes OS itself](/doc/supported-versions/#qubes-os) as well as operating systems used for TemplateVMs and StandaloneVMs, such as [Fedora](/doc/templates/fedora/) and [Debian](/doc/templates/debian/).
|
||||
This applies to [Qubes OS itself](/doc/supported-versions/#qubes-os) as well as operating systems used for templates and StandaloneVMs, such as [Fedora](/doc/templates/fedora/) and [Debian](/doc/templates/debian/).
|
||||
It is very important to use only supported releases, since generally only supported releases receive security updates.
|
||||
This means that you must periodically upgrade to a newer release before your current release reaches EOL.
|
||||
|
||||
In the case of Qubes OS itself, we will always [announce](/news/categories/#releases) when a given Qubes OS release is approaching and has reached EOL, and we will provide [instructions for upgrading to the next stable supported Qubes OS release](/doc/upgrade/).
|
||||
Again, you can always see the current support status for all Qubes OS releases [here](/doc/supported-versions/#qubes-os).
|
||||
|
||||
Periodic upgrades are also important for TemplateVMs and StandaloneVMs.
|
||||
For example, you might be using a [Fedora TemplateVM](/doc/templates/fedora/).
|
||||
Periodic upgrades are also important for templates and StandaloneVMs.
|
||||
For example, you might be using a [Fedora Template](/doc/templates/fedora/).
|
||||
The [Fedora Project](https://getfedora.org/) is independent of the Qubes OS Project.
|
||||
They set their own [schedule](https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle#Maintenance_Schedule) for when each Fedora release reaches EOL.
|
||||
You can always find out when an operating system reaches EOL from the upstream project that maintains it, but we also make EOL [announcements](/news/categories/#announcements) and publish guides for official TemplateVM operating systems as a convenience to Qubes users.
|
||||
You can always find out when an operating system reaches EOL from the upstream project that maintains it, but we also make EOL [announcements](/news/categories/#announcements) and publish guides for official template operating systems as a convenience to Qubes users.
|
||||
When this happens, you should make sure to follow the guide to upgrade to a supported version of that operating system (see the [Fedora upgrade guides](/doc/templates/fedora/#upgrading) and the [Debian upgrade guides](/doc/templates/debian/#upgrading)).
|
||||
|
||||
The one exception to all this is the specific release used for dom0 (not to be confused with Qubes OS as a whole), which [doesn't have to be upgraded](/doc/supported-versions/#note-on-dom0-and-eol).
|
||||
|
@ -31,7 +31,7 @@ This diagram provides a general example of how disposables can be used to safely
|
||||
If a [disposable template](/doc/glossary/#disposable-template) becomes compromised, then any disposable based on that disposable template could be compromised.
|
||||
In particular, the *default* disposable template is important because it is used by the "Open in disposable" feature.
|
||||
This means that it will have access to everything that you open with this feature.
|
||||
For this reason, it is strongly recommended that you base the default disposable template on a trusted TemplateVM.
|
||||
For this reason, it is strongly recommended that you base the default disposable template on a trusted template.
|
||||
|
||||
### Disposables and Local Forensics
|
||||
|
||||
@ -42,10 +42,10 @@ When it is essential to avoid leaving any trace, consider using [Tails](https://
|
||||
|
||||
## Disposables and Networking
|
||||
|
||||
Similarly to how app qubes are based on their underlying [TemplateVM](/doc/glossary/#templatevm), disposables are based on their underlying [disposable template](/doc/glossary/#disposable-template).
|
||||
Similarly to how app qubes are based on their underlying [template](/doc/glossary/#template), disposables are based on their underlying [disposable template](/doc/glossary/#disposable-template).
|
||||
R4.0 introduces the concept of multiple disposable templates, whereas R3.2 was limited to only one.
|
||||
|
||||
On a fresh installation of Qubes, the default disposable template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM).
|
||||
On a fresh installation of Qubes, the default disposable template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default template).
|
||||
If you have included the Whonix option in your install, there will also be a `whonix-ws-dvm` disposable template available for your use.
|
||||
|
||||
You can set any app qube to have the ability to act as a disposable template with:
|
||||
|
@ -369,7 +369,7 @@ Rather, the master secret key remains in the `vault` VM, which is extremely unli
|
||||
<sup>\*</sup> The attacker might nonetheless be able to leak the secret subkeys from the `work-gpg` VM in the manner described above, but even if this is successful, the secure master secret key can simply be used to revoke the compromised subkeys and to issue new subkeys in their place.
|
||||
(This is significantly less devastating than having to create a new *master* keypair.)
|
||||
|
||||
<sup>\*</sup>In order to gain access to the `vault` VM, the attacker would require the use of, e.g., a general Xen VM escape exploit or a [signed, compromised package which is already installed in the TemplateVM](/doc/templates/#trusting-your-templatevms) upon which the `vault` VM is based.
|
||||
<sup>\*</sup>In order to gain access to the `vault` VM, the attacker would require the use of, e.g., a general Xen VM escape exploit or a [signed, compromised package which is already installed in the template](/doc/templates/#trusting-your-templates) upon which the `vault` VM is based.
|
||||
|
||||
### Subkey Tutorials and Discussions
|
||||
|
||||
|
@ -79,20 +79,20 @@ $ qvm-service --enable work qubes-u2f-proxy
|
||||
|
||||
The above assumes a `work` qube in which you would like to enable u2f. Repeat the `qvm-service` command for all qubes that should have the proxy enabled. Alternatively, you can add `qubes-u2f-proxy` in VM settings -> Services in the Qube Manager of each qube you would like to enable the service.
|
||||
|
||||
In Fedora TemplateVMs:
|
||||
In Fedora templates:
|
||||
|
||||
```
|
||||
$ sudo dnf install qubes-u2f
|
||||
```
|
||||
|
||||
In Debian TemplateVMs:
|
||||
In Debian templates:
|
||||
|
||||
```
|
||||
$ sudo apt install qubes-u2f
|
||||
```
|
||||
|
||||
As usual with software updates, shut down the templates after installation, then restart `sys-usb` and all qubes that use the proxy.
|
||||
After that, you may use your U2F token (but see [Browser support](#templatevm-and-browser-support) below).
|
||||
After that, you may use your U2F token (but see [Browser support](#template-and-browser-support) below).
|
||||
|
||||
## Advanced usage: per-qube key access
|
||||
|
||||
@ -125,9 +125,9 @@ systemctl disable qubes-u2fproxy@sys-usb.service
|
||||
|
||||
Replace `USB_QUBE` with the actual USB qube name.
|
||||
|
||||
## TemplateVM and browser support
|
||||
## Template and browser support
|
||||
|
||||
The large number of possible combinations of TemplateVM (Fedora 27, 28; Debian 8, 9) and browser (multiple Google Chrome versions, multiple Chromium versions, multiple Firefox versions) made it impractical for us to test every combination that users are likely to attempt with the Qubes U2F Proxy.
|
||||
The large number of possible combinations of template (Fedora 27, 28; Debian 8, 9) and browser (multiple Google Chrome versions, multiple Chromium versions, multiple Firefox versions) made it impractical for us to test every combination that users are likely to attempt with the Qubes U2F Proxy.
|
||||
In some cases, you may be the first person to try a particular combination.
|
||||
Consequently (and as with any new feature), users will inevitably encounter bugs.
|
||||
We ask for your patience and understanding in this regard.
|
||||
|
@ -118,9 +118,9 @@ Do not rely on this for extra security.**
|
||||
>/etc/qubes-rpc/policy/qubes.VMAuth
|
||||
```
|
||||
|
||||
(Note: any VMs you would like still to have passwordless root access (e.g. TemplateVMs) can be specified in the second file with "\<vmname\> dom0 allow")
|
||||
(Note: any VMs you would like still to have passwordless root access (e.g. Templates) can be specified in the second file with "\<vmname\> dom0 allow")
|
||||
|
||||
2. Configuring Fedora TemplateVM to prompt Dom0 for any authorization request:
|
||||
2. Configuring Fedora template to prompt Dom0 for any authorization request:
|
||||
- In `/etc/pam.d/system-auth`, replace all lines beginning with "auth" with these lines:
|
||||
|
||||
```
|
||||
@ -143,7 +143,7 @@ Do not rely on this for extra security.**
|
||||
[root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
||||
```
|
||||
|
||||
3. Configuring Debian/Whonix TemplateVM to prompt Dom0 for any authorization request:
|
||||
3. Configuring Debian/Whonix template to prompt Dom0 for any authorization request:
|
||||
- In `/etc/pam.d/common-auth`, replace all lines beginning with "auth" with these lines:
|
||||
|
||||
```
|
||||
|
@ -24,7 +24,7 @@ Same as in the OTP case, you will need to set up your YubiKey, choose a separate
|
||||
|
||||
To use this mode you need to:
|
||||
|
||||
1. Install yubikey personalization the packages in your TemplateVM on which your USB VM is based.
|
||||
1. Install yubikey personalization the packages in your template on which your USB VM is based.
|
||||
|
||||
For Fedora.
|
||||
|
||||
@ -38,8 +38,8 @@ To use this mode you need to:
|
||||
sudo apt-get install yubikey-personalization yubikey-personalization-gui
|
||||
```
|
||||
|
||||
Shut down your TemplateVM.
|
||||
Then, either reboot your USB VM (so changes inside the TemplateVM take effect in your USB app qube) or install the packages inside your USB VM if you would like to avoid rebooting it.
|
||||
Shut down your template.
|
||||
Then, either reboot your USB VM (so changes inside the template take effect in your USB app qube) or install the packages inside your USB VM if you would like to avoid rebooting it.
|
||||
|
||||
2. Configure your YubiKey for challenge-response `HMAC-SHA1` mode, for example [following this tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/).
|
||||
|
||||
|
@ -14,16 +14,16 @@ title: How to Upgrade a Debian Template In-place
|
||||
|
||||
<div class="alert alert-danger" role="alert">
|
||||
<i class="fa fa-exclamation-triangle"></i>
|
||||
<b>Warning:</b> This page is intended for advanced users only. Most users seeking to upgrade should instead <a href="/doc/templates/debian/#installing">install a new Debian TemplateVM</a>. Learn more about the two options <a href="/doc/templates/debian/#upgrading">here</a>.
|
||||
<b>Warning:</b> This page is intended for advanced users only. Most users seeking to upgrade should instead <a href="/doc/templates/debian/#installing">install a new Debian template</a>. Learn more about the two options <a href="/doc/templates/debian/#upgrading">here</a>.
|
||||
</div>
|
||||
|
||||
|
||||
This page provides instructions for performing an in-place upgrade of an installed [Debian TemplateVM](/doc/templates/debian/).
|
||||
If you wish to install a new, unmodified Debian TemplateVM instead of upgrading a template that is already installed in your system, please see the [Debian TemplateVM](/doc/templates/debian/) page instead. ([Learn more about the two options.](/doc/templates/debian/#upgrading))
|
||||
This page provides instructions for performing an in-place upgrade of an installed [Debian Template](/doc/templates/debian/).
|
||||
If you wish to install a new, unmodified Debian template instead of upgrading a template that is already installed in your system, please see the [Debian Template](/doc/templates/debian/) page instead. ([Learn more about the two options.](/doc/templates/debian/#upgrading))
|
||||
|
||||
In general, upgrading a Debian TemplateVM follows the same process as [upgrading a native Debian system](https://wiki.debian.org/DebianUpgrade).
|
||||
In general, upgrading a Debian template follows the same process as [upgrading a native Debian system](https://wiki.debian.org/DebianUpgrade).
|
||||
|
||||
## Summary instructions for Debian TemplateVMs
|
||||
## Summary instructions for Debian templates
|
||||
|
||||
**Note:** The prompt on each line indicates where each command should be entered: `dom0`, `debian-<old>`, or `debian-<new>`, where `<old>` is the Debian version number *from* which you are upgrading, and `<new>` is the Debian version number *to* which you are upgrading.
|
||||
|
||||
@ -40,10 +40,10 @@ In general, upgrading a Debian TemplateVM follows the same process as [upgrading
|
||||
|
||||
**Recommended:** [Switch everything that was set to the old template to the new template.](/doc/templates/#switching)
|
||||
|
||||
## Detailed instructions for Debian TemplateVMs
|
||||
## Detailed instructions for Debian templates
|
||||
|
||||
These instructions will show you how to upgrade Debian TemplateVMs.
|
||||
The same general procedure may be used to upgrade any template based on the standard Debian TemplateVM.
|
||||
These instructions will show you how to upgrade Debian templates.
|
||||
The same general procedure may be used to upgrade any template based on the standard Debian template.
|
||||
|
||||
**Note:** The prompt on each line indicates where each command should be entered: `dom0`, `debian-<old>`, or `debian-<new>`, where `<old>` is the Debian version number *from* which you are upgrading, and `<new>` is the Debian version number *to* which you are upgrading.
|
||||
|
||||
@ -101,7 +101,7 @@ The same general procedure may be used to upgrade any template based on the stan
|
||||
[user@debian-<new> ~]$ sudo fstrim -av
|
||||
```
|
||||
|
||||
8. Shut down the new TemplateVM.
|
||||
8. Shut down the new template.
|
||||
|
||||
```
|
||||
[user@dom0 ~]$ qvm-shutdown debian-<new>
|
||||
@ -120,7 +120,7 @@ The same general procedure may be used to upgrade any template based on the stan
|
||||
|
||||
## StandaloneVMs
|
||||
|
||||
The procedure for upgrading a Debian [StandaloneVM](/doc/standalone-and-hvm/) is the same as for a TemplateVM.
|
||||
The procedure for upgrading a Debian [StandaloneVM](/doc/standalone-and-hvm/) is the same as for a template.
|
||||
|
||||
## Release-specific notes
|
||||
|
||||
@ -138,7 +138,7 @@ Please see [Debian's Buster upgrade instructions](https://www.debian.org/release
|
||||
* If sound is not working, you may need to enable the Qubes testing repository to get the testing version of `qubes-gui-agent`.
|
||||
This can be done by editing the `/etc/apt/sources.list.d/qubes-r4.list` file and uncommenting the `Qubes Updates Candidates` repo.
|
||||
|
||||
* User-initiated updates/upgrades may not run when a templateVM first starts.
|
||||
* User-initiated updates/upgrades may not run when a template first starts.
|
||||
This is due to a new Debian config setting that attempts to update automatically; it should be disabled with `sudo systemctl disable apt-daily.{service,timer}`.
|
||||
|
||||
Relevant discussions:
|
||||
|
@ -12,14 +12,14 @@ title: Debian Templates
|
||||
---
|
||||
|
||||
|
||||
The Debian [TemplateVM](/doc/templates/) is an officially [supported](/doc/supported-versions/#templatevms) TemplateVM in Qubes OS.
|
||||
This page is about the standard (or "full") Debian TemplateVM.
|
||||
For the minimal version, please see the [Minimal TemplateVMs](/doc/templates/minimal/) page.
|
||||
The Debian [template](/doc/templates/) is an officially [supported](/doc/supported-versions/#templates) template in Qubes OS.
|
||||
This page is about the standard (or "full") Debian template.
|
||||
For the minimal version, please see the [Minimal templates](/doc/templates/minimal/) page.
|
||||
There is also a [Qubes page on the Debian Wiki](https://wiki.debian.org/Qubes).
|
||||
|
||||
## Installing
|
||||
|
||||
To [install](/doc/templates/#installing) a specific Debian TemplateVM that is not currently installed in your system, use the following command in dom0:
|
||||
To [install](/doc/templates/#installing) a specific Debian template that is not currently installed in your system, use the following command in dom0:
|
||||
|
||||
```
|
||||
$ sudo qubes-dom0-update qubes-template-debian-XX
|
||||
@ -27,25 +27,25 @@ $ sudo qubes-dom0-update qubes-template-debian-XX
|
||||
|
||||
(Replace `XX` with the Debian version number of the template you wish to install.)
|
||||
|
||||
To reinstall a Debian TemplateVM that is already installed in your system, see [How to Reinstall a TemplateVM](/doc/reinstall-template/).
|
||||
To reinstall a Debian template that is already installed in your system, see [How to Reinstall a template](/doc/reinstall-template/).
|
||||
|
||||
## After Installing
|
||||
|
||||
After installing a fresh Debian TemplateVM, we recommend performing the following steps:
|
||||
After installing a fresh Debian template, we recommend performing the following steps:
|
||||
|
||||
1. [Update the TemplateVM](/doc/software-update-vm/).
|
||||
1. [Update the template](/doc/software-update-vm/).
|
||||
|
||||
2. [Switch any app qubes that are based on the old TemplateVM to the new one](/doc/templates/#switching).
|
||||
2. [Switch any app qubes that are based on the old template to the new one](/doc/templates/#switching).
|
||||
|
||||
3. If desired, [uninstall the old TemplateVM](/doc/templates/#uninstalling).
|
||||
3. If desired, [uninstall the old template](/doc/templates/#uninstalling).
|
||||
|
||||
## Updating
|
||||
|
||||
For routine daily TemplateVM updates within a given Debian release, see [Updating software in TemplateVMs](/doc/how-to-install-software/#updating-software-in-templatevms).
|
||||
For routine daily template updates within a given Debian release, see [Updating software in templates](/doc/how-to-install-software/#updating-software-in-templates).
|
||||
|
||||
## Upgrading
|
||||
|
||||
There are two ways to upgrade your TemplateVM to a new Debian release:
|
||||
There are two ways to upgrade your template to a new Debian release:
|
||||
|
||||
- [Install a fresh template to replace the existing one.](#installing) **This option may be simpler for less experienced users.** After you install the new template, redo all desired template modifications and [switch everything that was set to the old template to the new template](/doc/templates/#switching). You may want to write down the modifications you make to your templates so that you remember what to redo on each fresh install. In the old Debian template, see `/var/log/dpkg.log` and `/var/log/apt/history.log` for logs of package manager actions.
|
||||
|
||||
|
@ -25,13 +25,13 @@ title: How to Upgrade a Fedora Template In-place
|
||||
|
||||
<div class="alert alert-danger" role="alert">
|
||||
<i class="fa fa-exclamation-triangle"></i>
|
||||
<b>Warning:</b> This page is intended for advanced users only. Most users seeking to upgrade should instead <a href="/doc/templates/fedora/#installing">install a new Fedora TemplateVM</a>. Learn more about the two options <a href="/doc/templates/fedora/#upgrading">here</a>.
|
||||
<b>Warning:</b> This page is intended for advanced users only. Most users seeking to upgrade should instead <a href="/doc/templates/fedora/#installing">install a new Fedora template</a>. Learn more about the two options <a href="/doc/templates/fedora/#upgrading">here</a>.
|
||||
</div>
|
||||
|
||||
This page provides instructions for performing an in-place upgrade of an installed [Fedora TemplateVM](/doc/templates/fedora/).
|
||||
If you wish to install a new, unmodified Fedora TemplateVM instead of upgrading a template that is already installed in your system, please see the [Fedora TemplateVM](/doc/templates/fedora/) page instead. ([Learn more about the two options.](/doc/templates/fedora/#upgrading))
|
||||
This page provides instructions for performing an in-place upgrade of an installed [Fedora Template](/doc/templates/fedora/).
|
||||
If you wish to install a new, unmodified Fedora template instead of upgrading a template that is already installed in your system, please see the [Fedora Template](/doc/templates/fedora/) page instead. ([Learn more about the two options.](/doc/templates/fedora/#upgrading))
|
||||
|
||||
## Summary instructions for standard Fedora TemplateVMs
|
||||
## Summary instructions for standard Fedora templates
|
||||
|
||||
**Note:** The prompt on each line indicates where each command should be entered: `dom0`, `fedora-<old>`, or `fedora-<new>`, where `<old>` is the Fedora version number *from* which you are upgrading, and `<new>` is the Fedora version number *to* which you are upgrading.
|
||||
|
||||
@ -52,10 +52,10 @@ If you wish to install a new, unmodified Fedora TemplateVM instead of upgrading
|
||||
|
||||
**Recommended:** [Switch everything that was set to the old template to the new template.](/doc/templates/#switching)
|
||||
|
||||
## Detailed instructions for standard Fedora TemplateVMs
|
||||
## Detailed instructions for standard Fedora templates
|
||||
|
||||
These instructions will show you how to upgrade the standard Fedora TemplateVM.
|
||||
The same general procedure may be used to upgrade any template based on the standard Fedora TemplateVM.
|
||||
These instructions will show you how to upgrade the standard Fedora template.
|
||||
The same general procedure may be used to upgrade any template based on the standard Fedora template.
|
||||
|
||||
**Note:** The prompt on each line indicates where each command should be entered: `dom0`, `fedora-<old>`, or `fedora-<new>`, where `<old>` is the Fedora version number *from* which you are upgrading, and `<new>` is the Fedora version number *to* which you are upgrading.
|
||||
|
||||
@ -123,7 +123,7 @@ The same general procedure may be used to upgrade any template based on the stan
|
||||
At least X MB more space needed on the / filesystem.
|
||||
`
|
||||
|
||||
In this case, one option is to [resize the TemplateVM's disk image](/doc/resize-disk-image/) before reattempting the upgrade process.
|
||||
In this case, one option is to [resize the template's disk image](/doc/resize-disk-image/) before reattempting the upgrade process.
|
||||
(See [Additional Information](#additional-information) below for other options.)
|
||||
|
||||
4. Check that you are on the correct (new) Fedora release. Do this check only after completing the upgrade process. This is *not* a troubleshooting procedure for fixing download issues from the repository. This check simply verifies that your clone has successfully been upgraded.
|
||||
@ -143,7 +143,7 @@ The same general procedure may be used to upgrade any template based on the stan
|
||||
[user@fedora-<new> ~]$ sudo fstrim -av
|
||||
```
|
||||
|
||||
6. Shut down the new TemplateVM.
|
||||
6. Shut down the new template.
|
||||
|
||||
```
|
||||
[user@dom0 ~]$ qvm-shutdown fedora-<new>
|
||||
@ -167,7 +167,7 @@ The same general procedure may be used to upgrade any template based on the stan
|
||||
10. (Optional) [Uninstall the old template.](/doc/templates/#uninstalling)
|
||||
Make sure that the template you're uninstalling is the old one, not the new one!
|
||||
|
||||
## Summary instructions for Fedora Minimal TemplateVMs
|
||||
## Summary instructions for Fedora Minimal templates
|
||||
|
||||
**Note:** The prompt on each line indicates where each command should be entered: `dom0`, `fedora-<old>`, or `fedora-<new>`, where `<old>` is the Fedora version number *from* which you are upgrading, and `<new>` is the Fedora version number *to* which you are upgrading.
|
||||
|
||||
@ -179,18 +179,18 @@ The same general procedure may be used to upgrade any template based on the stan
|
||||
[user@fedora-<new>-minimal ~]# fstrim -v /
|
||||
```
|
||||
|
||||
(Shut down TemplateVM by any normal means.)
|
||||
(Shut down template by any normal means.)
|
||||
|
||||
(If you encounter insufficient space issues, you may need to use the methods described for the standard template above.)
|
||||
|
||||
## StandaloneVMs
|
||||
|
||||
The procedure for upgrading a Fedora [StandaloneVM](/doc/standalone-and-hvm/) is the same as for a TemplateVM.
|
||||
The procedure for upgrading a Fedora [StandaloneVM](/doc/standalone-and-hvm/) is the same as for a template.
|
||||
|
||||
|
||||
## Release-specific notes
|
||||
|
||||
See the [news](/news/) announcement for each specific TemplateVM release for any important notices about that particular release.
|
||||
See the [news](/news/) announcement for each specific template release for any important notices about that particular release.
|
||||
|
||||
|
||||
### End-of-life (EOL) releases
|
||||
@ -209,12 +209,12 @@ At least X MB more space needed on the / filesystem.
|
||||
|
||||
In this case, you have several options:
|
||||
|
||||
1. [Increase the TemplateVM's disk image size](/doc/resize-disk-image/).
|
||||
1. [Increase the template's disk image size](/doc/resize-disk-image/).
|
||||
This is the solution mentioned in the main instructions above.
|
||||
2. Delete files in order to free up space. One way to do this is by uninstalling packages.
|
||||
You may then reinstall them again after you finish the upgrade process, if desired).
|
||||
However, you may end up having to increase the disk image size anyway (see previous option).
|
||||
3. Do the upgrade in parts, e.g., by using package groups.
|
||||
(First upgrade `@core` packages, then the rest.)
|
||||
4. Do not perform an in-place upgrade, see [Upgrading Fedora TemplateVMs](/doc/templates/fedora/#upgrading).
|
||||
4. Do not perform an in-place upgrade, see [Upgrading Fedora templates](/doc/templates/fedora/#upgrading).
|
||||
|
||||
|
@ -7,11 +7,11 @@ title: Fedora Templates
|
||||
---
|
||||
|
||||
|
||||
The Fedora [TemplateVM](/doc/templates/) is the default TemplateVM in Qubes OS. This page is about the standard (or "full") Fedora TemplateVM. For the minimal and Xfce versions, please see the [Minimal TemplateVMs](/doc/templates/minimal/) and [Xfce TemplateVMs](/doc/templates/xfce/) pages.
|
||||
The Fedora [template](/doc/templates/) is the default template in Qubes OS. This page is about the standard (or "full") Fedora template. For the minimal and Xfce versions, please see the [Minimal templates](/doc/templates/minimal/) and [Xfce templates](/doc/templates/xfce/) pages.
|
||||
|
||||
## Installing
|
||||
|
||||
To [install](/doc/templates/#installing) a specific Fedora TemplateVM that is not currently installed in your system, use the following command in dom0:
|
||||
To [install](/doc/templates/#installing) a specific Fedora template that is not currently installed in your system, use the following command in dom0:
|
||||
|
||||
```
|
||||
$ sudo qubes-dom0-update qubes-template-fedora-XX
|
||||
@ -19,25 +19,25 @@ $ sudo qubes-dom0-update qubes-template-fedora-XX
|
||||
|
||||
(Replace `XX` with the Fedora version number of the template you wish to install.)
|
||||
|
||||
To reinstall a Fedora TemplateVM that is already installed in your system, see [How to Reinstall a TemplateVM](/doc/reinstall-template/).
|
||||
To reinstall a Fedora template that is already installed in your system, see [How to Reinstall a template](/doc/reinstall-template/).
|
||||
|
||||
## After Installing
|
||||
|
||||
After installing a fresh Fedora TemplateVM, we recommend performing the following steps:
|
||||
After installing a fresh Fedora template, we recommend performing the following steps:
|
||||
|
||||
1. [Update the TemplateVM](/doc/software-update-vm/).
|
||||
1. [Update the template](/doc/software-update-vm/).
|
||||
|
||||
2. [Switch any app qubes that are based on the old TemplateVM to the new one](/doc/templates/#switching).
|
||||
2. [Switch any app qubes that are based on the old template to the new one](/doc/templates/#switching).
|
||||
|
||||
3. If desired, [uninstall the old TemplateVM](/doc/templates/#uninstalling).
|
||||
3. If desired, [uninstall the old template](/doc/templates/#uninstalling).
|
||||
|
||||
## Updating
|
||||
|
||||
For routine daily updates within a given release, see [Updating software in TemplateVMs](/doc/how-to-install-software/#updating-software-in-templatevms).
|
||||
For routine daily updates within a given release, see [Updating software in templates](/doc/how-to-install-software/#updating-software-in-templates).
|
||||
|
||||
## Upgrading
|
||||
|
||||
There are two ways to upgrade your TemplateVM to a new Fedora release:
|
||||
There are two ways to upgrade your template to a new Fedora release:
|
||||
|
||||
- [Install a fresh template to replace the existing one.](#installing) **This option may be simpler for less experienced users.** After you install the new template, redo all desired template modifications and [switch everything that was set to the old template to the new template](/doc/templates/#switching). You may want to write down the modifications you make to your templates so that you remember what to redo on each fresh install. To see a log of package manager actions, open a terminal in the old Fedora template and use the `dnf history` command.
|
||||
|
||||
|
@ -10,12 +10,12 @@ title: How to Reinstall a Template
|
||||
---
|
||||
|
||||
|
||||
If you suspect your [TemplateVM](/doc/templates/) is broken, misconfigured, or compromised, you can reinstall any TemplateVM that was installed from the Qubes repository.
|
||||
If you suspect your [template](/doc/templates/) is broken, misconfigured, or compromised, you can reinstall any template that was installed from the Qubes repository.
|
||||
|
||||
Automatic Method
|
||||
----------------
|
||||
|
||||
First, copy any files that you wish to keep from the TemplateVM's `/home` and `/rw` folders to a safe storage location.
|
||||
First, copy any files that you wish to keep from the template's `/home` and `/rw` folders to a safe storage location.
|
||||
Then, in a dom0 terminal, run:
|
||||
|
||||
```
|
||||
@ -44,21 +44,21 @@ $ sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinsta
|
||||
Manual Method
|
||||
-------------
|
||||
|
||||
In what follows, the term "target TemplateVM" refers to whichever TemplateVM you want to reinstall.
|
||||
If you want to reinstall more than one TemplateVM, repeat these instructions for each one.
|
||||
In what follows, the term "target template" refers to whichever template you want to reinstall.
|
||||
If you want to reinstall more than one template, repeat these instructions for each one.
|
||||
|
||||
1. Clone the existing target TemplateVM.
|
||||
1. Clone the existing target template.
|
||||
|
||||
This can be a good idea if you've customized the existing template and want to keep your customizations.
|
||||
On the other hand, if you suspect that this template is broken, misconfigured, or compromised, be certain you do not start any VMs using it in the below procedure.
|
||||
|
||||
2. Temporarily change all VMs based on the target TemplateVM to the new clone template, or remove them.
|
||||
2. Temporarily change all VMs based on the target template to the new clone template, or remove them.
|
||||
|
||||
This can be a good idea if you have user data in these VMs that you want to keep.
|
||||
On the other hand, if you suspect that these VMs (or the templates on which they are based) are broken, misconfigured, or compromised, you may want to remove them instead.
|
||||
You can do this in Qubes Manager by right-clicking on the VM and clicking **Remove VM**, or you can use the command `qvm-remove <vm-name>` in dom0.
|
||||
|
||||
3. Uninstall the target TemplateVM from dom0:
|
||||
3. Uninstall the target template from dom0:
|
||||
|
||||
```
|
||||
$ sudo dnf remove <template-package-name>
|
||||
@ -70,7 +70,7 @@ If you want to reinstall more than one TemplateVM, repeat these instructions for
|
||||
$ sudo dnf remove qubes-template-whonix-gw
|
||||
```
|
||||
|
||||
4. Reinstall the target TemplateVM in dom0:
|
||||
4. Reinstall the target template in dom0:
|
||||
|
||||
```shell_session
|
||||
$ sudo qubes-dom0-update --enablerepo=<optional-additional-repo> \
|
||||
@ -84,8 +84,8 @@ If you want to reinstall more than one TemplateVM, repeat these instructions for
|
||||
qubes-template-whonix-gw
|
||||
```
|
||||
|
||||
5. If you temporarily changed all VMs based on the target TemplateVM to the clone template in step 3, change them back to the new target TemplateVM now.
|
||||
If you instead removed all VMs based on the old target TemplateVM, you can recreate your desired VMs from the newly reinstalled target TemplateVM now.
|
||||
5. If you temporarily changed all VMs based on the target template to the clone template in step 3, change them back to the new target template now.
|
||||
If you instead removed all VMs based on the old target template, you can recreate your desired VMs from the newly reinstalled target template now.
|
||||
|
||||
6. Delete the cloned template.
|
||||
You can do this in Qubes Manager by right-clicking on the VM and clicking **Remove VM**, or you can use the
|
||||
|
@ -13,22 +13,22 @@ ref: 132
|
||||
title: Minimal Templates
|
||||
---
|
||||
|
||||
The Minimal [TemplateVMs](/doc/templates/) are lightweight versions of their standard TemplateVM counterparts.
|
||||
The Minimal [templates](/doc/templates/) are lightweight versions of their standard template counterparts.
|
||||
They have only the most vital packages installed, including a minimal X and xterm installation.
|
||||
The sections below contain instructions for using the template and provide some examples for common use cases.
|
||||
There are currently three Minimal TemplateVMs corresponding to the standard [Fedora](/doc/templates/fedora/), [Debian](/doc/templates/debian/), [CentOS](/doc/templates/centos/) and [Gentoo](/doc/templates/gentoo/) TemplateVMs.
|
||||
There are currently three Minimal templates corresponding to the standard [Fedora](/doc/templates/fedora/), [Debian](/doc/templates/debian/), [CentOS](/doc/templates/centos/) and [Gentoo](/doc/templates/gentoo/) templates.
|
||||
|
||||
## Important
|
||||
|
||||
1. The Minimal TemplateVMs are intended only for advanced users.
|
||||
If you encounter problems with the Minimal TemplateVMs, we recommend that you use their standard TemplateVM counterparts instead.
|
||||
1. The Minimal templates are intended only for advanced users.
|
||||
If you encounter problems with the Minimal templates, we recommend that you use their standard template counterparts instead.
|
||||
|
||||
2. If something works with a standard TemplateVM but not the minimal version, this is most likely due to user error (e.g., a missing package or misconfiguration) rather than a bug.
|
||||
2. If something works with a standard template but not the minimal version, this is most likely due to user error (e.g., a missing package or misconfiguration) rather than a bug.
|
||||
In such cases, please do *not* file a bug report.
|
||||
Instead, please see [Help, Support, Mailing Lists, and Forum](/support/) for the appropriate place to ask for help.
|
||||
Once you have learned how to solve your problem, please [contribute what you learned to the documentation](/doc/doc-guidelines/).
|
||||
|
||||
3. The Minimal TemplateVMs are intentionally *minimal*.
|
||||
3. The Minimal templates are intentionally *minimal*.
|
||||
[Do not ask for your favorite package to be added to the minimal template by default.](/faq/#could-you-please-make-my-preference-the-default)
|
||||
|
||||
4. In order to reduce unnecessary risk, unused repositories have been disabled by default.
|
||||
@ -36,7 +36,7 @@ There are currently three Minimal TemplateVMs corresponding to the standard [Fed
|
||||
|
||||
## Installation
|
||||
|
||||
The Minimal TemplateVMs can be installed with the following command (where `X` is your desired distro and version number):
|
||||
The Minimal templates can be installed with the following command (where `X` is your desired distro and version number):
|
||||
|
||||
```
|
||||
[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-X-minimal
|
||||
@ -59,20 +59,20 @@ The download may take a while depending on your connection speed.
|
||||
|
||||
## Passwordless root
|
||||
|
||||
It is an intentional design choice for [Passwordless Root Access in VMs](/doc/vm-sudo/) to be optional in Minimal TemplateVMs.
|
||||
Since the Minimal TemplateVMs are *minimal*, they are not configured for passwordless root by default.
|
||||
It is an intentional design choice for [Passwordless Root Access in VMs](/doc/vm-sudo/) to be optional in Minimal templates.
|
||||
Since the Minimal templates are *minimal*, they are not configured for passwordless root by default.
|
||||
To update or install packages, execute the following command in dom0 (where `X` is your distro and version number):
|
||||
|
||||
```
|
||||
[user@dom0 ~]$ qvm-run -u root X-minimal xterm
|
||||
```
|
||||
|
||||
This opens a root terminal in the Minimal TemplateVM, from which you can use execute root commands without `sudo`.
|
||||
This opens a root terminal in the Minimal template, from which you can use execute root commands without `sudo`.
|
||||
You will have to do this every time if you choose not to enable passwordless root.
|
||||
|
||||
If you want to be able to use `sudo` inside a Minimal TemplateVM (or app qubes based on a Minimal TemplateVM), open a root terminal as just instructed, then install the `qubes-core-agent-passwordless-root` package.
|
||||
If you want to be able to use `sudo` inside a Minimal template (or app qubes based on a Minimal template), open a root terminal as just instructed, then install the `qubes-core-agent-passwordless-root` package.
|
||||
|
||||
Optionally, verify that passwordless root now works by opening a normal (non-root) xterm window in the Minimal TemplateVM, then issue the command `sudo -l`.
|
||||
Optionally, verify that passwordless root now works by opening a normal (non-root) xterm window in the Minimal template, then issue the command `sudo -l`.
|
||||
This should give you output that includes the `NOPASSWD` keyword.
|
||||
|
||||
## Customization
|
||||
@ -84,7 +84,7 @@ Customizing the template for specific use cases normally only requires installin
|
||||
|
||||
## Distro-specific notes
|
||||
|
||||
This following sections provide information that is specific to a particular Minimal TemplateVM distro.
|
||||
This following sections provide information that is specific to a particular Minimal template distro.
|
||||
|
||||
### Fedora
|
||||
|
||||
|
@ -17,7 +17,7 @@ you can install one of the available Xfce templates for [Fedora](/doc/templates/
|
||||
|
||||
## Installation
|
||||
|
||||
The Fedora Xfce TemplateVMs can be installed with the following command (where `X` is your desired distro and version number):
|
||||
The Fedora Xfce templates can be installed with the following command (where `X` is your desired distro and version number):
|
||||
|
||||
```
|
||||
[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-X-xfce
|
||||
@ -45,5 +45,5 @@ You may wish to try again with the testing repository enabled:
|
||||
|
||||
The download may take a while depending on your connection speed.
|
||||
|
||||
To reinstall a Xfce TemplateVM that is already installed in your system, see [How to Reinstall a TemplateVM](/doc/reinstall-template/).
|
||||
To reinstall a Xfce template that is already installed in your system, see [How to Reinstall a template](/doc/reinstall-template/).
|
||||
|
||||
|
@ -32,10 +32,10 @@ What if my application has not been automatically included in the list of availa
|
||||
Some times applications may not have included a `.desktop` file and may not be detected by `qvm-sync-appmenus`.
|
||||
Other times, you may want to make a web shortcut available from the Qubes start menu.
|
||||
|
||||
You can manually create new entries in the "available applications" list of shortcuts for all app qubes based on a TemplateVM.
|
||||
You can manually create new entries in the "available applications" list of shortcuts for all app qubes based on a template.
|
||||
To do this:
|
||||
|
||||
1. Open a terminal window to the TemplateVM.
|
||||
1. Open a terminal window to the template.
|
||||
2. Create a custom `.desktop` file in `/usr/share/applications` (you may need to first create the subdirectory).
|
||||
Look in `/usr/share/applications` for existing examples, or see the full [file specification](https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html).
|
||||
It will be something like:
|
||||
@ -53,7 +53,7 @@ To do this:
|
||||
Exec=vuescan
|
||||
```
|
||||
|
||||
3. In dom0, run `qvm-sync-appmenus <TemplateVMName>`.
|
||||
3. In dom0, run `qvm-sync-appmenus <templateName>`.
|
||||
4. Go to VM Settings of the app qube(s) to which you want to add the new shortcut, then the Applications tab.
|
||||
Move the newly created shortcut to the right under selected.
|
||||
|
||||
@ -102,7 +102,7 @@ Behind the scenes
|
||||
-----------------
|
||||
|
||||
`qvm-sync-appmenus` works by invoking *GetAppMenus* [Qubes service](/doc/qrexec/) in the target domain.
|
||||
This service enumerates installed applications and sends formatted info back to the dom0 script (`/usr/libexec/qubes-appmenus/qubes-receive-appmenus`) which creates .desktop files in the app qube/TemplateVM directory.
|
||||
This service enumerates installed applications and sends formatted info back to the dom0 script (`/usr/libexec/qubes-appmenus/qubes-receive-appmenus`) which creates .desktop files in the app qube/template directory.
|
||||
|
||||
For Linux VMs the service script is in `/etc/qubes-rpc/qubes.GetAppMenus`.
|
||||
In Windows it's a PowerShell script located in `c:\Program Files\Invisible Things Lab\Qubes OS Windows Tools\qubes-rpc-services\get-appmenus.ps1` by default.
|
||||
|
@ -11,7 +11,7 @@ title: Media Troubleshooting
|
||||
|
||||
If you’re having trouble playing a video file in a qube, you’re probably missing the required codecs.
|
||||
The easiest way to resolve this is to install VLC Media Player and use that to play your video files.
|
||||
You can do this in multiple different TemplateVM distros by following the instructions [here](/faq/#how-do-i-play-video-files).
|
||||
You can do this in multiple different template distros by following the instructions [here](/faq/#how-do-i-play-video-files).
|
||||
|
||||
## Video lagging
|
||||
|
||||
|
@ -151,5 +151,5 @@ Look at the [FAQs](/faq/#i-assigned-a-pci-device-to-a-qube-then-unassigned-itshu
|
||||
You may have an adapter (wired, wireless), that is not compatible with open-source drivers shipped by Qubes.
|
||||
You may need to install a binary blob, which provides drivers, from the linux-firmware package.
|
||||
|
||||
Open a terminal and run `sudo dnf install linux-firmware` in the TemplateVM upon which your NetVM is based.
|
||||
You have to restart the NetVM after the TemplateVM has been shut down.
|
||||
Open a terminal and run `sudo dnf install linux-firmware` in the template upon which your NetVM is based.
|
||||
You have to restart the NetVM after the template has been shut down.
|
||||
|
@ -22,11 +22,11 @@ Here are some examples of non-Qubes reports about this problem:
|
||||
|
||||
More examples can be found by searching for "Failed to synchronize cache for repo" (with quotation marks) on your preferred search engine.
|
||||
|
||||
## Lost internet access after a TemplateVM update
|
||||
## Lost internet access after a template update
|
||||
|
||||
In earlier versions of Qubes, there were situations where qubes lost internet access after a TemplateVM update. The following fix should be applied in recent versions of Qubes.
|
||||
In earlier versions of Qubes, there were situations where qubes lost internet access after a template update. The following fix should be applied in recent versions of Qubes.
|
||||
|
||||
Run `systemctl enable NetworkManager-dispatcher.service` in the TemplateVM upon which your NetVM is based.
|
||||
Run `systemctl enable NetworkManager-dispatcher.service` in the template upon which your NetVM is based.
|
||||
You may have to reboot afterward for the change to take effect.
|
||||
(Note: This is an upstream problem. See [this Redhat ticket](https://bugzilla.redhat.com/show_bug.cgi?id=974811)).
|
||||
For details, see the qubes-users mailing list threads [here](https://groups.google.com/d/topic/qubes-users/xPLGsAJiDW4/discussion) and [here](https://groups.google.com/d/topic/qubes-users/uN9G8hjKrGI/discussion).)
|
||||
@ -37,12 +37,12 @@ This has nothing to do with Qubes.
|
||||
It's a longstanding Windows bug.
|
||||
More information about this issue and solutions can be found [here](https://superuser.com/questions/951960/windows-7-sp1-windows-update-stuck-checking-for-updates).
|
||||
|
||||
## Dom0 and/or TemplateVM update stalls when updating via the GUI tool
|
||||
## Dom0 and/or template update stalls when updating via the GUI tool
|
||||
|
||||
This can usually be fixed by updating via the command line.
|
||||
|
||||
In dom0, open a terminal and run `sudo qubes-dom0-update`.
|
||||
|
||||
Depending on your operating system, open a terminal in the TemplateVMs and run:
|
||||
Depending on your operating system, open a terminal in the templates and run:
|
||||
* Fedora: `sudo dnf upgrade`
|
||||
* Debian: `apt-get update && apt-get dist-upgrade`
|
||||
|
@ -9,7 +9,7 @@ title: Updating Debian and Whonix
|
||||
|
||||
Despite Qubes shipping with [Debian Templates](/doc/templates/debian/), most of Qubes core components run on Fedora and thus our documentation has better coverage for Fedora. However, Qubes has been working closely with the [Whonix](https://whonix.org) project which is based on Debian.
|
||||
|
||||
This troubleshooting guide is collection of tips about updating Whonix that also pertain to updating the normal Debian package manager. If you plan to use Debian heavily, **we highly recommend you install the Whonix templates and use them to update your normal Debian TemplateVM.**
|
||||
This troubleshooting guide is collection of tips about updating Whonix that also pertain to updating the normal Debian package manager. If you plan to use Debian heavily, **we highly recommend you install the Whonix templates and use them to update your normal Debian template.**
|
||||
|
||||
*Note: some of the links on this page go to documentation on Whonix's website*
|
||||
|
||||
|
@ -101,7 +101,7 @@ If your computer has a PS/2 port, you may instead use a PS/2 keyboard to enter t
|
||||
When trying to [create and use a USB qube](/doc/how-to-use-usb-devices/#creating-and-using-a-usb-qube) with the `qubes-usb-proxy` package, you may receive this error: `ERROR: qubes-usb-proxy not installed in the VM`.
|
||||
|
||||
If you encounter this error, you can install the `qubes-usb-proxy` with the package manager in the VM you want to attach the USB device to.
|
||||
Depending on your operating system, open a terminal in the TemplateVM and enter one of the following commands:
|
||||
Depending on your operating system, open a terminal in the template and enter one of the following commands:
|
||||
|
||||
- Fedora: `sudo dnf install qubes-usb-proxy`
|
||||
- Debian/Ubuntu: `sudo apt-get install qubes-usb-proxy`
|
||||
|
@ -76,7 +76,7 @@ Common reasons that may be revealed are: too low memory, corrupted files or a VM
|
||||
|
||||
If the error occurs as a result of too little initial memory, increase the initial memory from 200MB to 400MB by navigating to VM settings » Advanced » Initial memory.
|
||||
|
||||
## "No match found" when trying to install a TemplateVM
|
||||
## "No match found" when trying to install a template
|
||||
|
||||
For example:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user