diff --git a/about/screenshots.md b/about/screenshots.md index fc3cb6b5..0f15d5f6 100644 --- a/about/screenshots.md +++ b/about/screenshots.md @@ -13,7 +13,7 @@ Select Qubes OS Screenshots [![r32-xfce-desktop.png](/attachment/wiki/QubesScreenshots/r32-xfce-desktop.png)](/attachment/wiki/QubesScreenshots/r32-xfce-desktop.png) -Beginning with Qubes 3.2, the default desktop environment is Xfce4. +The default desktop environment is Xfce4. * * * * * diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md index 46fa3a37..94a5575f 100644 --- a/common-tasks/backup-restore.md +++ b/common-tasks/backup-restore.md @@ -11,17 +11,13 @@ redirect_from: Qubes Backup, Restoration, and Migration ======================================== -**Caution:** The Qubes R3.2 backup system currently relies on a [weak key derivation scheme](https://github.com/QubesOS/qubes-issues/issues/971). -Although resolved in R4.0 and higher with the switch to scrypt, it is *strongly recommended* that users select a *high-entropy* passphrase for use with Qubes backups. - - With Qubes, it's easy to back up and restore your whole system, as well as to migrate between two physical machines. -As of Qubes R2B3, these functions are integrated into the Qubes VM Manager GUI. +These functions are integrated into Qube Manager. There are also two command-line tools available which perform the same functions: `qvm-backup` and `qvm-backup-restore`. -Creating a Backup (R4.0 and later) +Creating a Backup ----------------- 1. Go to **Applications menu -> System Tools -> Backup Qubes**. @@ -62,50 +58,8 @@ If there are any issues preventing the backup, they will be listed here and the Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**. -Creating a Backup (R3.2 and earlier) ------------------ -1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Backup VMs** in the drop-down list. -This brings up the **Qubes Backup VMs** window. - -2. Move the VMs that you want to back up to the right-hand **Selected** column. -VMs in the left-hand **Available** column will not be backed up. - - **Note:** A VM must be shut down in order to be backed up. - Currently running VMs appear in red. - - Once you have selected all desired VMs, click **Next**. - -3. Select the destination for the backup: - - If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**. - If you wish to send your backup to a [USB mass storage device](/doc/usb/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination. - - You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. - For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right. - If it does not exist, you must create it manually prior to backing up. - - By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. - Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM. - This can be used to send your backup directly to, e.g., a remote server using SSH. - - At this point, you must also choose whether to encrypt your backup by checking or unchecking the **Encrypt backup** box. - - **Note:** It is strongly recommended that you opt to encrypt all backups which will be sent to untrusted destinations! - - **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification. - If you decide not to encrypt your backup (by unchecking the **Encrypt backup** box), the passphrase you supply will be used **only** for integrity verification. - If you supply a passphrase but do not check the **Encrypt backup** box, your backup will **not** be encrypted! - -4. You will now see the summary of VMs to be backed up. -If there are any issues preventing the backup, they will be listed here and the **Next** button grayed out. - -5. When you are ready, click **Next**. -Qubes will proceed to create your backup. -Once the progress bar has completed, you may click **Finish**. - - -Restoring from a Backup (R4.0 and later) +Restoring from a Backup ----------------------- 1. Go to **Applications menu -> System Tools -> Restore Backup**. @@ -143,45 +97,6 @@ If there are any issues preventing the restore, they will be listed here and the Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**. -Restoring from a Backup (R3.2 and earlier) ------------------------ - -1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Restore VMs from backup** in the drop-down list. -This brings up the **Qubes Restore VMs** window. - -2. Select the source location of the backup to be restored: - - - If your backup is located on a [USB mass storage device](/doc/usb/), attach it first to another VM or select `sys-usb` in the next item. - - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**. - - You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. - If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. - For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. - Once you've located the backup file, double-click or select it and hit **OK**. - -3. There are three options you may select when restoring from a backup: - 1. **ignore missing**: If any of the VMs in your backup depended upon a NetVM, ProxyVM, or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway and set them to use the default NetVM and system default template. - 2. **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. - If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway. - 3. **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. - However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details. - -4. If your backup is encrypted, you must check the **Encrypted backup** box. -If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here. - - **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. - If the backup was not encrypted, the supplied passphrase is used only for integrity verification. - - **Note:** A VM cannot be restored from a backup if a VM with the same name already exists on the current system. - You must first remove or change the name of any VM with the same name in order to restore such a VM. - -5. You will now see the summary of VMs to be restored. -If there are any issues preventing the restore, they will be listed here and the **Next** button grayed out. - -6. When you are ready, click **Next**. -Qubes will proceed to restore from your backup. -Once the progress bar has completed, you may click **Finish**. - Emergency Backup Recovery without Qubes --------------------------------------- @@ -220,9 +135,6 @@ Here are some things to consider when selecting a passphrase for your backups: Notes ----- - * The Qubes R3.2 and earlier backup system relies on `openssl enc`, which is known to use a very weak key derivation scheme. - The Qubes backup system also uses the same passphrase for authentication and for encryption, which is problematic from a security perspective. - Users are advised to use a very high entropy passphrase for Qubes backups. - For a full discussion, see [this ticket](https://github.com/QubesOS/qubes-issues/issues/971) and [this thread](https://groups.google.com/d/msg/qubes-devel/CZ7WRwLXcnk/u_rZPoVxL5IJ). * For the technical details of the backup system, please refer to [this thread](https://groups.google.com/d/topic/qubes-devel/TQr_QcXIVww/discussion). * If working with symlinks, note the issues described in [this thread](https://groups.google.com/d/topic/qubes-users/EITd1kBHD30/discussion). + diff --git a/common-tasks/copy-from-dom0.md b/common-tasks/copy-from-dom0.md index 94731d9a..7719bd59 100644 --- a/common-tasks/copy-from-dom0.md +++ b/common-tasks/copy-from-dom0.md @@ -39,11 +39,7 @@ You may now paste the log contents to any VM as you normally would (i.e., Ctrl-S For data other than logs, there are several options: 1. Copy it as a file (see above) -2. In Qubes 3.2 you can copy text to the dom0 clipboard (Ctrl-C as normal), then click "Copy Dom0 clipboard" in the Qubes menu: - ![copy-dom0-clipboard](/attachment/wiki/QubesScreenshots/r3.2-dom0-copyout.png) - which is equivelant to Ctrl-Shift-C from a normal AppVM. - Then you can use Ctrl-Shift-V and Ctrl-V or Shift-Insert to paste the copied text into an AppVM as normal. -3. In other versions, write the data you wish to copy into `/var/run/qubes/qubes-clipboard.bin`, then `echo -n dom0 > /var/run/qubes/qubes-clipboard.bin.source`. +2. Wwrite the data you wish to copy into `/var/run/qubes/qubes-clipboard.bin`, then `echo -n dom0 > /var/run/qubes/qubes-clipboard.bin.source`. Then use Ctrl-Shift-V to paste the data to the desired VM. diff --git a/common-tasks/disposablevm.md b/common-tasks/disposablevm.md index 5b54a563..ec8b855b 100644 --- a/common-tasks/disposablevm.md +++ b/common-tasks/disposablevm.md @@ -38,10 +38,7 @@ For details, see [this thread](https://groups.google.com/d/topic/qubes-devel/QwL When it is essential to avoid leaving any trace, consider using [Tails](https://tails.boum.org/). -## Qubes 4.0 ## - - -### DisposableVMs and Networking ### +## DisposableVMs and Networking ## Similarly to how AppVMs are based on their underlying [TemplateVM](https://www.qubes-os.org/doc/glossary/#templatevm), DisposableVMs are based on their underlying [DisposableVM Template](https://www.qubes-os.org/doc/glossary/#disposablevm-template). R4.0 introduces the concept of multiple DisposableVM Templates, whereas R3.2 was limited to only one. @@ -87,7 +84,7 @@ To launch a DVM from the command line, in dom0 please type the following: qvm-run --dispvm=NameOfDVM --service qubes.StartApp+NameOfApp -### Opening a file in a DisposableVM via GUI ### +## Opening a file in a DisposableVM via GUI ## In an AppVM's file manager, right click on the file you wish to open in a DisposableVM, then choose "Open in DisposableVM". Wait a few seconds and the default application for this file type should appear displaying the file content. @@ -98,7 +95,7 @@ If you have edited the file and saved the changes, the changed file will be save ![r1-open-in-dispvm-1.png](/attachment/wiki/DisposableVms/r1-open-in-dispvm-1.png) ![r1-open-in-dispvm-2.png](/attachment/wiki/DisposableVms/r1-open-in-dispvm-2.png) -### Opening a fresh web browser instance in a new DisposableVM ### +## Opening a fresh web browser instance in a new DisposableVM ## Sometimes it is desirable to open an instance of Firefox within a new fresh DisposableVM. This can be done easily using the Start Menu: just go to **Application Menu -\> DisposableVM -\> DisposableVM:Firefox web browser**. @@ -108,7 +105,7 @@ Once you close the viewing application the whole DisposableVM will be destroyed. ![r1-open-in-dispvm-3.png](/attachment/wiki/DisposableVms/r1-open-in-dispvm-3.png) -### Opening a file in a DisposableVM via command line (from AppVM) ### +## Opening a file in a DisposableVM via command line (from AppVM) ## Use the `qvm-open-in-dvm` command from a terminal in your AppVM: @@ -119,7 +116,7 @@ Use the `qvm-open-in-dvm` command from a terminal in your AppVM: Note that the `qvm-open-in-dvm` process will not exit until you close the application in the DisposableVM. -### Starting an arbitrary program in a DisposableVM from an AppVM ### +## Starting an arbitrary program in a DisposableVM from an AppVM ## Sometimes it can be useful to start an arbitrary program in a DisposableVM. This can be done from an AppVM by running @@ -130,7 +127,7 @@ Sometimes it can be useful to start an arbitrary program in a DisposableVM. This The created DisposableVM can be accessed via other tools (such as `qvm-copy-to-vm`) using its `disp####` name as shown in the Qubes Manager or `qvm-ls`. -### Starting an arbitrary application in a DisposableVM via command line from dom0 ### +## Starting an arbitrary application in a DisposableVM via command line from dom0 ## The Application Launcher has shortcuts for opening a terminal and a web browser in dedicated DisposableVMs, since these are very common tasks. However, it is possible to start an arbitrary application in a DisposableVM directly from dom0 by running: @@ -143,7 +140,7 @@ The label color will be inherited from the `dvm-template`. (The DisposableVM Application Launcher shortcut used for starting programs runs a very similar command to the one above.) -#### Opening a link in a DisposableVM based on a non-default DisposableVM Template from a qube #### +### Opening a link in a DisposableVM based on a non-default DisposableVM Template from a qube ### Suppose that the default DisposableVM Template for your `email` qube has no networking (e.g., so that untrusted attachments can't phone home). However, sometimes you want to open email links in DisposableVMs. @@ -157,87 +154,7 @@ $ qvm-open-in-vm @dispvm:online-dvm-template https://www.qubes-os.org This will create a new DisposableVM based on `online-dvm-template`, open the default web browser in that DisposableVM, and navigate to `https://www.qubes-os.org`. -### Customizing DisposableVMs ### - -You can change the template used to generate the DisposableVMs, and change settings used in the DisposableVM savefile. -These changes will be reflected in every new DisposableVM based on that template. -Full instructions can be found [here](/doc/disposablevm-customization/). - - -## Qubes 3.2 ## - - -### DisposableVMs and Networking ### - -NetVM and firewall rules for DisposableVMs can be set as they can for a normal VM. -By default a DisposableVM will inherit the NetVM and firewall settings of the VM from which it is launched. -Thus if an AppVM uses sys-net as its NetVM, any DisposableVM launched from this AppVM will also have sys-net as its NetVM. -You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. -Here you can edit the "NetVM for DisposableVM" setting to change the NetVM of any DisposableVM launched from that VM. - -A DisposableVM launched from the Start Menu inherits the NetVM of the [DisposableVM Template](/doc/glossary/#disposablevm-template). -By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). -As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". -Note that changing the "NetVM for DisposableVM" setting for the DisposableVM Template does *not* affect the NetVM of DisposableVMs launched from the Start Menu; only changing the DisposableVM Template's own NetVM does. - - -### Opening a file in a DisposableVM via GUI ### - -In an AppVM's file manager, right click on the file you wish to open in a DisposableVM, then choose "Open in DisposableVM". -Wait a few seconds and the default application for this file type should appear displaying the file content. -This app is running in its own dedicated VM -- a DisposableVM created for the purpose of viewing or editing this very file. -Once you close the viewing application the whole DisposableVM will be destroyed. -If you have edited the file and saved the changes, the changed file will be saved back to the original AppVM, overwriting the original. - -![r1-open-in-dispvm-1.png](/attachment/wiki/DisposableVms/r1-open-in-dispvm-1.png) ![r1-open-in-dispvm-2.png](/attachment/wiki/DisposableVms/r1-open-in-dispvm-2.png) - - -### Opening a fresh web browser instance in a new DisposableVM ### - -Sometimes it is desirable to open an instance of Firefox within a new fresh DisposableVM. -This can be done easily using the Start Menu: just go to **Application Menu -\> DisposableVM -\> DisposableVM:Firefox web browser**. -Wait a few seconds until a web browser starts. -Once you close the viewing application the whole DisposableVM will be destroyed. - -![r1-open-in-dispvm-3.png](/attachment/wiki/DisposableVms/r1-open-in-dispvm-3.png) - - -### Opening a file in a DisposableVM via command line (from AppVM) ### - -Use the `qvm-open-in-dvm` command from a terminal in your AppVM: - -~~~ -[user@work-pub ~]$ qvm-open-in-dvm Downloads/apple-sandbox.pdf -~~~ - -Note that the `qvm-open-in-dvm` process will not exit until you close the application in the DisposableVM. - - -### Starting an arbitrary program in a DisposableVM from an AppVM ### - -Sometimes it can be useful to start an arbitrary program in a DisposableVM. This can be done from an AppVM by running - -~~~ -[user@vault ~]$ qvm-run '$dispvm' xterm -~~~ - -The created DisposableVM can be accessed via other tools (such as `qvm-copy-to-vm`) using its `disp####` name as shown in the Qubes Manager or `qvm-ls`. - - -### Starting an arbitrary application in a DisposableVM via command line (from Dom0) ### - -The Application Launcher has shortcuts for opening a terminal and a web browser in dedicated DisposableVMs, since these are very common tasks. -However, it is possible to start an arbitrary application in a DisposableVM directly from dom0 by running: - -~~~ -$ echo xterm | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red -~~~ - -The label color will be inherited from the `dvm-template`. -(The DisposableVM Application Launcher shortcut used for starting programs runs a very similar command to the one above.) - - -### Customizing DisposableVMs ### +## Customizing DisposableVMs ## You can change the template used to generate the DisposableVMs, and change settings used in the DisposableVM savefile. These changes will be reflected in every new DisposableVM based on that template. diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md index 8bfc9211..bb1d598b 100644 --- a/common-tasks/managing-appvm-shortcuts.md +++ b/common-tasks/managing-appvm-shortcuts.md @@ -87,25 +87,12 @@ This service enumerates installed applications and sends formatted info back to For Linux VMs the service script is in `/etc/qubes-rpc/qubes.GetAppMenus`. In Windows it's a PowerShell script located in `c:\Program Files\Invisible Things Lab\Qubes OS Windows Tools\qubes-rpc-services\get-appmenus.ps1` by default. - * R4.0 - - The list of installed applications for each AppVM is stored in dom0's `~/.local/share/qubes-appmenus//apps.templates`. - Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). - Applications selected to appear in the menu are stored in `~/.local/share/qubes-appmenus//apps`. - - Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. - Examples: `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+7-Zip-7-Zip_File_Manager` or `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+firefox` +The list of installed applications for each AppVM is stored in dom0's `~/.local/share/qubes-appmenus//apps.templates`. +Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). +Applications selected to appear in the menu are stored in `~/.local/share/qubes-appmenus//apps`. + +Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. +Examples: `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+7-Zip-7-Zip_File_Manager` or `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+firefox` - Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q -a --service -- personal qubes.StartApp+firefox`. - - * R3.2 - - The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates//apps.templates` (or in case of StandaloneVM: `/var/lib/qubes/appvms//apps.templates`). - Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). - Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms//apps`. - - Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. - Examples: `qvm-run -q --tray -a w7s 'cmd.exe /c "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk"'` or `qvm-run -q --tray -a untrusted 'firefox %u'` - - Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q --tray -a personal -- 'qubes-desktop-run /home/user/application.desktop'`. +Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q -a --service -- personal qubes.StartApp+firefox`. diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md index 6bc63a4d..02bb71c5 100644 --- a/common-tasks/software-update-dom0.md +++ b/common-tasks/software-update-dom0.md @@ -34,7 +34,7 @@ How to install and update software in dom0 ### How to update dom0 -In the Qubes VM Manager, simply select dom0 in the VM list, then click the **Update VM system** button (the blue, downward-pointing arrow). In addition, updating dom0 has been made more convenient: You will be prompted on the desktop whenever new dom0 updates are available and given the choice to run the update with a single click. +In the Qube Manager, simply select dom0 in the VM list, then click the **Update VM system** button (the blue, downward-pointing arrow). In addition, updating dom0 has been made more convenient: You will be prompted on the desktop whenever new dom0 updates are available and given the choice to run the update with a single click. Alternatively, command-line tools are available for accomplishing various update-related tasks (some of which are not available via Qubes VM Manager). In order to update dom0 from the command line, start a console in dom0 and then run one of the following commands: @@ -69,14 +69,6 @@ You can also pass commands to `dnf` using `--action=...`. sudo dnf downgrade package-version ~~~ -For example, to downgrade Xen to a specific older version available for Qubes R3.2, you would: - -~~~ -sudo qubes-dom0-update xen-libs-4.6.6-36.fc23.x86_64 xen-hypervisor-4.6.6-36.fc23.x86_64 xen-runtime-4.6.6-36.fc23.x86_64 xen-hvm-4.6.6-36.fc23.x86_64 xen-4.6.6-36.fc23.x86_64 xen-license-4.6.6-36.fc23.x86_64 - -sudo dnf downgrade xen-libs-4.6.6-36.fc23.x86_64 xen-hypervisor-4.6.6-36.fc23.x86_64 xen-runtime-4.6.6-36.fc23.x86_64 xen-hvm-4.6.6-36.fc23.x86_64 xen-4.6.6-36.fc23.x86_64 xen-license-4.6.6-36.fc23.x86_64 -~~~ - ### How to re-install a package You can re-install in a similar fashion to downgrading. @@ -95,7 +87,7 @@ You can re-install in a similar fashion to downgrading. sudo dnf reinstall package ~~~ - Note that Dnf will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`. + Note that `dnf` will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`. ### How to uninstall a package @@ -162,3 +154,4 @@ Requires installed [Whonix](/doc/privacy/whonix/). Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting. Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix. Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix + diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md index adc7911b..53f25bb6 100644 --- a/common-tasks/software-update-vm.md +++ b/common-tasks/software-update-vm.md @@ -21,8 +21,6 @@ Of course the AppVM has only read-access to the template's filesystem -- it cann In addition to saving on the disk space, and reducing domain creation time, another advantage of such scheme is the possibility for centralized software update. It's just enough to do the update in the template VM, and then all the AppVMs based on this template get updates automatically after they are restarted. -The default template is called **fedora-23** in Qubes R3.2 and **fedora-26** in Qubes R4.0. - The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home`, `/usr/local`, or `/rw` then it will disappear after the AppVM reboots (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally installs software in the TemplateVM, not in AppVMs.** @@ -80,7 +78,7 @@ Debian also has three Qubes VM testing repositories (where `*` denotes the Relea To enable or disable any of these repos permanently, uncomment the corresponding `deb` line in `/etc/apt/sources.list.d/qubes-r*.list` -Reverting changes to a TemplateVM (R4.0) +Reverting changes to a TemplateVM --------------------------------- Perhaps you've just updated your TemplateVM, and the update broke your template. @@ -100,33 +98,6 @@ For example, to revert changes to the `fedora-26` TemplateVM: qvm-volume revert fedora-26:root -Reverting changes to a TemplateVM (R3.2) ---------------------------------- - -Perhaps you've just updated your TemplateVM, and the update broke your template. -Or perhaps you've made a terrible mistake, like accidentally confirming the installation of an unsigned package that could be malicious. -Fortunately, it's easy to revert changes to TemplateVMs using the command appropriate to your version of Qubes. - -**Important:** This command will roll back any changes made *during the last time the TemplateVM was run, but **not** before.* -This means that if you have already restarted the TemplateVM, using this command is unlikely to help, and you'll likely want to reinstall it from the repository instead. -On the other hand, if the template is already broken or compromised, it won't hurt to try reverting first. -Just make sure to **back up** all of your data and changes first! - -For example, to revert changes to the `fedora-23` TemplateVM: - -1. Shut down all VMs based on `fedora-23`. -2. Shut down `fedora-23`. - If you've already just shut it down, do **not** start it again (see above). -3. In a dom0 terminal, type: - - qvm-revert-template-changes fedora-23 - - If you want to skip the confirmation check, you can add the `--force` option: - - qvm-revert-template-changes --force fedora-23 - -For the technical details about how this command works and the steps it performs, see [here](/doc/template-implementation/#rollback-template-changes). - Notes on trusting your TemplateVM(s) ------------------------------------- @@ -168,8 +139,7 @@ However, a compromise of a template affects only a subset of all your AppVMs (in Also, if your AppVMs are network disconnected, even though their filesystems might get compromised due to the corresponding template compromise, it still would be difficult for the attacker to actually leak out the data stolen in an AppVM. Not impossible (due to existence of cover channels between VMs on x86 architecture), but difficult and slow. - -Standalone VMs (R4.0 and later) +Standalone VMs -------------- Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on their own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them. @@ -194,30 +164,6 @@ qvm-create --class StandaloneVM --label