Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-09-21 21:44:53 -04:00
Code Issues Projects Releases Packages Wiki Activity

merge PR #1494 and fixed conflicts

Browse source
This commit is contained in:
qubedmaiska 2025-09-06 07:03:33 -04:00
commit 6ecfe972a1
No known key found for this signature in database
GPG key ID: 204BCE0FD52C0501
11 changed files with 90 additions and 129 deletions
Download patch file Download diff file Expand all files Collapse all files

7
conf.py
View file

@ -121,3 +121,10 @@ locale_dirs = ['_translated']
gettext_compact = False
gettext_uuid = True
# -- -- Options for markup ---------------------------------------------------
rst_epilog = """
.. |debian-codename| replace:: bookworm
.. |debian-version| replace:: 12
"""

4
developer/services/qfileexchgd.rst
View file

@ -33,7 +33,7 @@ Copying files between AppVMs
----------------------------
1. AppVM1 user runs *qvm-copy-to-vm* script (accessible from Dolphin file manager by right click on a “file(s)->Actions->Send to VM” menu). It calls */usr/lib/qubes/qubes_penctl new*, and it writes “new” request to its ``device/qpen`` xenstore key. *qfilexchgd* creates a new 1G file, makes vfat fs on it, and does block-attach so that this file is attached as ``/dev/xvdg`` in AppVM1.
1. AppVM1 user runs *qvm-copy-to-vm* script (accessible from Dolphin file manager by right click on a file(s): :menuselection:`Actions->Send to VM`). It calls */usr/lib/qubes/qubes_penctl new*, and it writes “new” request to its ``device/qpen`` xenstore key. *qfilexchgd* creates a new 1G file, makes vfat fs on it, and does block-attach so that this file is attached as ``/dev/xvdg`` in AppVM1.
2. AppVM1 mounts ``/dev/xvdg`` on ``/mnt/outgoing`` and copies requested files there, then unmounts it.
@ -49,7 +49,7 @@ Copying a single file between AppVM and a DisposableVM
In order to minimize attack surface presented by necessity to process virtual pendrive metadata sent by (potentially compromised and malicious) DisposableVM, AppVM<->DisposableVM file exchange protocol does not use any filesystem.
1. User in AppVM1 runs *qvm-open-in-dvm* (accessible from Dolphin file manager by right click on a “file->Actions->Open in DisposableVM” menu). *qvm-open-in-dvm*
1. User in AppVM1 runs *qvm-open-in-dvm* (accessible from Dolphin file manager by right click on a file: :menuselection:`Actions->Open in DisposableVM` menu). *qvm-open-in-dvm*
1. gets a new ``/dev/xvdg`` (just as described in previous paragraph)

2
user/advanced-topics/how-to-install-software-in-dom0.rst
View file

@ -222,7 +222,7 @@ Updating over Tor
Requires installed `Whonix <https://forum.qubes-os.org/t/19014>`__.
Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting. Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix.
Go to :menuselection:`Qubes VM Manager --> System --> Global Settings`. See the UpdateVM setting. Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix.
:menuselection:`Qubes VM Manager --> System --> Global Settings --> UpdateVM --> sys-whonix`

2
user/advanced-topics/kde.rst
View file

@ -37,7 +37,7 @@ KDE is very customisable, and there is a range of widgets to use. If you want to
This allows you to edit the menu as you will. When editing the Menu *DO NOT use the option under “Edit->Restore to System Menu”*
This allows you to edit the menu as you will. When editing the Menu *DO NOT use the option under* :menuselection:`Edit --> Restore to System Menu`
Login manager
^^^^^^^^^^^^^

2
user/advanced-topics/managing-vm-kernels.rst
View file

@ -339,7 +339,7 @@ You may want to adjust some settings in ``/etc/default/grub`` (or better ``/etc/
Then shutdown the VM.
Go to dom0 -> Qubes VM Manger -> right click on the VM -> Qube settings -> Advanced
Go to dom0: :menuselection:`Qubes VM Manager --> right click on the VM --> Qube settings --> Advanced`
Depends on ``Virtualization`` mode setting:

6
user/how-to-guides/how-to-back-up-restore-and-migrate.rst
View file

@ -30,7 +30,7 @@ Creating a backup
-----------------
1. Go to **Applications menu -> System Tools -> Backup Qubes**. This brings up the **Qubes Backup VMs** window.
1. Go to :menuselection:`Applications menu --> System Tools --> Backup Qubes`. This brings up the **Qubes Backup VMs** window.
2. Move the VMs that you want to back up to the right-hand **Selected** column. VMs in the left-hand **Available** column will not be backed up.
@ -68,7 +68,7 @@ Restoring from a backup
-----------------------
1. Go to **Applications menu -> System Tools -> Restore Backup**. This brings up the **Qubes Restore VMs** window.
1. Go to :menuselection:`Applications menu -> System Tools -> Restore Backup`. This brings up the **Qubes Restore VMs** window.
2. Select the source location of the backup to be restored:
@ -101,7 +101,7 @@ Restoring from a backup
In case that applications are not shown, i.e. “No applications found”, open the settings of the qube -> select ``Applications`` -> click ``Refresh applications``.
In case that applications are not shown, i.e. “No applications found”, open the settings of the qube -> select :guilabel:`Applications`, click :guilabel:`Refresh applications`.
When a restored application qube refreshes, the application lists will open the template qubes on which it is based. In that case the template qube should also be restored, if it is missing the default qube will be assigned. The updated list of the installed software can be seen on the left and adjusted accordingly to the users needs.

126
user/how-to-guides/how-to-install-software.rst
View file

@ -9,45 +9,40 @@ Qubes OS is effectively a “meta” operating system (OS) that can run almost a
The following instructions explain how to permanently install new software in a template. There are different instructions for software from the default repositories and all other software. (If youre not sure, try the default repositories first.)
.. installing-software-from-default-repositories:
Installing software from default repositories
---------------------------------------------
1. Start the template.
2. Start either a terminal (e.g. ``gnome-terminal``) or a dedicated software management application, such as ``gpk-application``.
3. Install software as normally instructed inside that operating system, e.g.:
- Fedora: ``sudo dnf install <PACKAGE_NAME>``
- Debian: ``sudo apt install <PACKAGE_NAME>``
- Fedora: :samp:`sudo dnf install {<PACKAGE_NAME>}`
- Debian: :samp:`sudo apt install {<PACKAGE_NAME>}`
4. Shut down the template.
5. Restart all qubes based on the template.
6. (Recommended) In the relevant qubes **Settings > Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see :doc:`here </user/troubleshooting/app-menu-shortcut-troubleshooting>` for troubleshooting.)
6. (Recommended) In the relevant qubes :menuselection:`Settings --> Applications` tab, select the new application(s) from the list, and press :guilabel:`OK`. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see :ref:`app-menu-troubleshooting`)
.. figure:: /attachment/doc/r4.1-dom0-appmenu-select.png
:alt: The Applications tab in Qube Settings
Installing software from other sources
--------------------------------------
Some software is not available from the default repositories and must be downloaded and installed from another source. Depending on the installation method, you may either use the updates proxy or direct networking.
Using the updates proxy
^^^^^^^^^^^^^^^^^^^^^^^
If you are still using the distribution package manager, updates will likely still work over the updates proxy without needing to give the TemplateVM direct network access.
If you are using another installation method fetching remote resources, you might still be able to use the updates proxy by making the tools aware of the proxy. For many tools, it is enough to export the following environment variables in your shell session before proceeding:
@ -59,44 +54,44 @@ If you are using another installation method fetching remote resources, you migh
ALL_PROXY=$HTTP_PROXY all_proxy=$ALL_PROXY \
NO_PROXY=127.0.0.1 no_proxy=$NO_PROXY
Using direct networking
^^^^^^^^^^^^^^^^^^^^^^^
**Warning:** This method gives your template direct network access, which is `risky <#why-dont-templates-have-normal-network-access>`__. This method is **not** recommended for trusted templates. Moreover, depending on how you install this software, it may not get updated automatically when you :doc:`update Qubes normally </user/how-to-guides/how-to-update>`, which means you may have to update it manually yourself.
.. Warning:: This method gives your template direct network access, which is `risky <#why-dont-templates-have-normal-network-access>`__. This method is **not** recommended for trusted templates. Moreover, depending on how you install this software, it may not get updated automatically when you :doc:`update Qubes normally </user/how-to-guides/how-to-update>`, which means you may have to update it manually yourself.
This method assumes that you are trying to follow instructions to install some piece of software in a normal operating system, except *that* operating system is running as a template in Qubes OS.
1. (Recommended) Clone the desired template (since this new template will probably be less trusted than the original).
2. (Recommended) In the new templates **Settings > Basic** tab, change the color label from black to red (or another color that signifies to you that the template is less trusted).
2. (Recommended) In the new templates :menuselection:`Settings --> Basic` tab, change the color :guilabel:`label` from :guilabel:`black` to :guilabel:`red` (or another color that signifies to you that the template is less trusted).
3. In the new templates **Settings > Basic** tab, change the **Networking** value from ``default (none) (current)`` to ``sys-firewall`` (or whichever network-providing qube you wish to use).
3. In the new templates :menuselection:`Settings --> Basic` tab, change the :guilabel:`Networking` value from :guilabel:`default (none) (current)` to :guilabel:`sys-firewall` (or whichever network-providing qube you wish to use).
4. (Recommended) In the new templates **Settings > Firewall rules** tab, select “Limit outgoing Internet connections to…” and tick “Allow full access for 5 min.” (This can help in case you forget to remove network access later.)
4. (Recommended) In the new templates :menuselection:`Settings --> Firewall rules` tab:
5. Follow the normal instructions for installing your software in the new template. For example, open a terminal and enter the commands as instructed. **Warning:** If you dont fully understand the commands youre entering, then this can be extremely risky, and the template should be regarded as *completely untrusted*.
1. select :guilabel:`Limit outgoing Internet connections to…`
2. tick :guilabel:`Allow full access for 5 min.` (This can help in case you forget to remove network access later.)
6. (Recommended) In the new templates **Settings > Basic** tab, change the **Networking** value from ``sys-firewall (current)`` (or whichever network-providing qube you chose) back to ``default (none)``.
5. Follow the normal instructions for installing your software in the new template. For example, open a terminal and enter the commands as instructed.
.. warning:: If you dont fully understand the commands youre entering, then this can be extremely risky, and the template should be regarded as *completely untrusted*.
6. (Recommended) In the new templates :menuselection:`Settings --> Basic` tab, change the :guilabel:`Networking` value from :guilabel:`sys-firewall (current)` (or whichever network-providing qube you chose) back to :guilabel:`default (none)`.
7. Shut down the new template.
8. Create or assign your desired app qubes to use the new template. If any app qubes were already assigned to the new template, restart them.
9. (Recommended) In the relevant qubes **Settings > Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see :doc:`here </user/troubleshooting/app-menu-shortcut-troubleshooting>` for troubleshooting.)
.. figure:: /attachment/doc/r4.1-dom0-appmenu-select.png
:alt: The Applications tab in Qube Settings
9. (Recommended) In the relevant qubes :menuselection:`Settings --> Applications` tab, select the new application(s) from the list, and press :guilabel:`OK`. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see :ref:`app-menu-troubleshooting`)
.. image:: /attachment/doc/r4.1-dom0-appmenu-select.png
:alt:
Troubleshooting
---------------
If things are still not working as expected:
- Review the instructions very carefully, making sure you follow each step.
@ -111,38 +106,31 @@ If things are still not working as expected:
- :doc:`Ask for help. </introduction/support>`
How to update software
----------------------
Please see :doc:`How to Update </user/how-to-guides/how-to-update>`.
Please see :doc:`how-to-update`.
Why don't templates have normal network access?
-----------------------------------------------
In order to protect you from performing risky activities in templates, they do not have normal network access by default. Instead, templates use an `updates-proxy <#updates-proxy>`__ which allows you to install and update software using the distributions package manager over the proxy connection. **The updates proxy is already set up to work automatically out-of-the-box and requires no special action from you.** Most users should simply follow the normal instructions for `installing software from default repositories <#installing-software-from-default-repositories>`__ and :doc:`updating </user/how-to-guides/how-to-update>` software. If your software is not available in the default repositories, see `installing software from other sources <#installing-software-from-other-sources>`__.
In order to protect you from performing risky activities in templates, they do not have normal network access by default. Instead, templates use an :ref:`updates-proxy` which allows you to install and update software using the distributions package manager over the proxy connection. **The updates proxy is already set up to work automatically out-of-the-box and requires no special action from you.** Most users should simply follow the normal instructions for :ref:`installing-software-from-default-repositories` and :doc:`updating <how-to-update>` software. If your software is not available in the default repositories, see `installing software from other sources <#installing-software-from-other-sources>`__.
Advanced
--------
The following sections cover advanced topics pertaining to installing and updating software in qubes.
Testing repositories
^^^^^^^^^^^^^^^^^^^^
If you wish to install updates that are still in :doc:`testing </user/downloading-installing-upgrading/testing>`, you must enable the appropriate testing repositories.
**Note:** The following repos are in templates and standalones. For dom0 testing repos, see :ref:`here <user/advanced-topics/how-to-install-software-in-dom0:testing repositories>`. For testing new templates, please see :ref:`here <user/downloading-installing-upgrading/testing:templates>`.
.. note:: The following repos are in templates and standalones. For dom0 testing repos, see :ref:`user/advanced-topics/how-to-install-software-in-dom0:testing repositories`. For testing new templates, please see :ref:`user/downloading-installing-upgrading/testing:templates`.
Fedora
^^^^^^
There are three Qubes VM testing repositories (where ``*`` denotes the Release):
- ``qubes-vm-*-current-testing`` testing packages that will eventually land in the stable (``current``) repository
@ -151,8 +139,6 @@ There are three Qubes VM testing repositories (where ``*`` denotes the Release):
- ``qubes-vm-*-unstable`` packages that are not intended to land in the stable (``qubes-vm-*-current``) repository; mostly experimental debugging packages
To temporarily enable any of these repos, use the ``--enablerepo=<repo-name>`` option. Example commands:
.. code:: console
@ -161,15 +147,12 @@ To temporarily enable any of these repos, use the ``--enablerepo=<repo-name>`` o
$ sudo dnf upgrade --enablerepo=qubes-vm-*-security-testing
$ sudo dnf upgrade --enablerepo=qubes-vm-*-unstable
To enable or disable any of these repos permanently, change the corresponding ``enabled`` value to ``1`` in ``/etc/yum.repos.d/qubes-*.repo``.
To enable or disable any of these repos permanently, change the corresponding ``enabled`` value to ``1`` in :file:`/etc/yum.repos.d/qubes-*.repo`.
Debian
^^^^^^
Debian also has three Qubes VM testing repositories (where ``*`` denotes the Release):
Debian also has three Qubes VM testing repositories (where ``*`` denotes the Debian codename, i.e. "|debian-codename|"):
- ``*-testing`` testing packages that will eventually land in the stable (``current``) repository
@ -177,9 +160,7 @@ Debian also has three Qubes VM testing repositories (where ``*`` denotes the Rel
- ``*-unstable`` packages that are not intended to land in the stable repository; mostly experimental debugging packages
To enable or disable any of these repos permanently, uncomment the corresponding ``deb`` line in ``/etc/apt/sources.list.d/qubes-r*.list``.
To enable or disable any of these repos permanently, uncomment the corresponding ``deb`` line in :file:`/etc/apt/sources.list.d/qubes-r4.list`.
Standalones
^^^^^^^^^^^
@ -190,8 +171,7 @@ The process for installing and updating software in :term:`standalones <standalo
RPMFusion for Fedora templates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you would like to enable the `RPM Fusion <https://rpmfusion.org/>`__ repositories, open a Terminal of the template and type the following commands, depending on which RPM Fusion repositories you wish to enable (see `RPM Fusion <https://rpmfusion.org/>`__ for details):
If you would like to enable the `RPM Fusion <https://rpmfusion.org>`__ repositories, open a Terminal of the template and type the following commands, depending on which RPM Fusion repositories you wish to enable (see `RPM Fusion <https://rpmfusion.org>`__ for details):
.. code:: console
@ -208,7 +188,6 @@ This will permanently enable the RPM Fusion repos. If you install software from
Reverting changes to a template
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Perhaps youve just updated your template, and the update broke your template. Or perhaps youve made a terrible mistake, like accidentally confirming the installation of an unsigned package that could be malicious. If you want to undo changes to a template, there are three basic methods:
1. **Root revert.** This is appropriate for misconfigurations, but not for security concerns. It will preserve your customizations.
@ -217,13 +196,10 @@ Perhaps youve just updated your template, and the update broke your template.
3. **Full revert.** This is appropriate for both misconfigurations and security concerns, and it can preserve your customizations. However, it is a bit more complex.
Root revert
^^^^^^^^^^^
**Important:** This command will roll back any changes made *during the last time the template was run, but* **not** *before.* This means that if you have already restarted the template, using this command is unlikely to help, and youll likely want to reinstall it from the repository instead. On the other hand, if the template is already broken or compromised, it wont hurt to try reverting first. Just make sure to **back up** all of your data and changes first!
.. important:: This command will roll back any changes made *during the last time the template was run, but* **not** *before.* This means that if you have already restarted the template, using this command is unlikely to help, and youll likely want to reinstall it from the repository instead. On the other hand, if the template is already broken or compromised, it wont hurt to try reverting first. Just make sure to **back up** all of your data and changes first!
1. Shut down ``<template>``. If youve already just shut it down, do **not** start it again (see above).
@ -231,34 +207,27 @@ Root revert
.. code:: console
$ qvm-volume revert <template>:root
[user@dom0]$ qvm-volume revert <template>:root
Reinstall the template
^^^^^^^^^^^^^^^^^^^^^^
Please see :doc:`How to Reinstall a template </user/how-to-guides/how-to-reinstall-a-template>`.
Full revert
^^^^^^^^^^^
This is like the simple revert, except:
- You must also revert the private volume with ``qvm-volume revert <template>:private``. This requires you to have an old revision of the private volume, which does not exist with the current default config. However, if you dont have anything important in the private volume (likely for a template), then you can work around this by just resetting the private volume with ``qvm-volume import --no-resize <template>:private /dev/null``.
- You must also revert the private volume with :samp:`qvm-volume revert {<template>}:private`. This requires you to have an old revision of the private volume, which does not exist with the current default config. However, if you dont have anything important in the private volume (likely for a template), then you can work around this by just resetting the private volume with :samp:`qvm-volume import --no-resize {<template>}:private /dev/null`.
- The saved revision of the volumes must be uncompromised. With the default ``revisions_to_keep=1`` for the root volume, you must **not** have started the template since the compromising action.
.. updates-proxy:
Updates proxy
^^^^^^^^^^^^^
Updates proxy is a service which allows access from package managers configured to use the proxy by default, but can be used by any other program that accepts proxy arguments. The purpose of the proxy, instead of direct network access, is meant to mitigate user errors of using applications such as the browser in the template. Not necessarily what part of the network they can access, but only to applications trusted by the user, configured to use the proxy. The http proxy (tinyproxy) does not filter traffic because it is hard to list all the repository mirrors and keep that list up to date). it also does not cache anything.
The proxy is running in selected VMs (by default all the NetVMs (1)) and intercepts traffic directed to 127.0.0.1:8082. Thanks to such configuration all the VMs can use the same proxy address. If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure dnf/apt to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
@ -269,14 +238,11 @@ There are two services (``qvm-service``, :doc:`service framework </user/advanced
2. ``updates-proxy-setup`` (and its deprecated name: ``yum-proxy-setup``) - use a proxy provided by another VM (instead of downloading updates directly), enabled by default in all templates
Both the old and new names work. The defaults listed above are applied if the service is not explicitly listed in the services tab.
Technical details
^^^^^^^^^^^^^^^^^
The updates proxy uses RPC/qrexec. The proxy is configured in qrexec policy in dom0: ``/etc/qubes-rpc/policy/qubes.UpdatesProxy``. By default this is set to sys-net and/or sys-whonix, depending on firstboot choices. This new design allows for templates to be updated even when they are not connected to any NetVM.
Example policy file in R4.1 (with Whonix installed, but not set as default UpdateVM for all templates):
@ -286,16 +252,14 @@ Example policy file in R4.1 (with Whonix installed, but not set as default Updat
# any VM with tag `whonix-updatevm` should use `sys-whonix`; this tag is added to `whonix-gw` and `whonix-ws` during installation and is preserved during template clone
@tag:whonix-updatevm @default allow,target=sys-whonix
@tag:whonix-updatevm @anyvm deny
# other templates use sys-net
@type:TemplateVM @default allow,target=sys-net
@anyvm @anyvm deny
Installing Snap Packages
^^^^^^^^^^^^^^^^^^^^^^^^
Snap packages do not use the normal update channels for Debian and Fedora (apt and dnf) and are often installed as the user rather than as root. To support these in an app qube you need to take the following steps:
1. In the **template** you must install ``snapd`` and ``qubes-snapd-helper``. Open a terminal in the template and run:
@ -313,15 +277,15 @@ Snap packages do not use the normal update channels for Debian and Fedora (apt a
qubes-snapd-helper noarch 1.0.4-1.fc36 qubes-vm-r4.1-current 10 k
Installing dependencies:
[...]
Transaction Summary
========================================================================================================
Install 19 Packages
Total download size: 27 M
Installed size: 88 M
Is this ok [y/N]: y
Downloading Packages:
[..]
Failed to resolve booleanif statement at /var/lib/selinux/targeted/tmp/modules/200/snappy/cil:1174
@ -329,7 +293,7 @@ Snap packages do not use the normal update channels for Debian and Fedora (apt a
[...]
Last metadata expiration check: 0:33:05 ago on Thu 03 Nov 2022 04:34:06.
Notifying dom0 about installed applications
Installed:
snapd-2.56.2-4.fc36.x86_64 qubes-snapd-helper-1.0.4-1.fc36.noarch
[...]
@ -342,7 +306,6 @@ Snap packages do not use the normal update channels for Debian and Fedora (apt a
Failed to resolve booleanif statement at /var/lib/selinux/targeted/tmp/modules/200/snappy/cil:1174
/usr/sbin/semodule: Failed!
This is expected and you can safely continue.
Shutdown the template:
@ -350,7 +313,6 @@ Snap packages do not use the normal update channels for Debian and Fedora (apt a
[user@fedora-36-snap-demo ~]$ sudo shutdown -h now
2. Now open the **app qube** in which you would like to install the Snap application and run a terminal:
.. code:: console
@ -359,18 +321,13 @@ Snap packages do not use the normal update channels for Debian and Fedora (apt a
When the install is complete you can close the terminal window.
3. Refresh the Applications list for the app qube. In the Qubes Menu for the **app qube** launch the Qube Settings. Then go to the Applications tab and click “Refresh Applications”
3. Refresh the Applications list for the app qube. In the Qubes Menu for the **app qube** launch the Qube :guilabel:`Settings`. Then go to the Applications tab and click “Refresh Applications”
- The refresh will take a few minutes; after its complete the Snap app will appear in the app qubes list of available applications. At this point the snap will be persistent within the app qube and will receive updates when the app qube is running.
Autostarting Installed Applications
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you want a desktop app to start automatically every time a qube starts you can create a link to it in the ``~/.config/autostart`` directory of the **app qube**. This might be useful for Qubes that you set to automatically start on boot or for Qubes that have a set of apps you typically use all day, such as a chat app.
1. Open a terminal in the **app qube** where you would like the app to launch.
@ -387,23 +344,16 @@ If you want a desktop app to start automatically every time a qube starts you ca
xterm.desktop
yelp.desktop
3. Create the autostart directory:
.. code:: console
[user@example-app qube ~]$ mkdir -p ~/.config/autostart
4. Make a link to the desktop app file youd like to start in the autostart directory. For example, the command below will link the Thunderbird app into the autostart directory:
.. code:: console
[user@example-app qube ~]$ ln -s /usr/share/applications/mozilla-thunderbird.desktop ~/.config/autostart/mozilla-thunderbird.desktop
Note that the app will autostart only when the app qube starts. If you would like the app qube to autostart, select the “Start qube automatically on boot” checkbox in the app qubes Qube Settings.

8
user/how-to-guides/how-to-use-disposables.rst
View file

@ -27,7 +27,7 @@ How to create disposable templates
First, you need to create an app qube. You can run it normally, set up any necessary settings (like browser settings) you wish to be applied to every disposable qube ran from this template. Next, go to Qube Settings of the app qube, set it as a *Disposable template* in the *Advanced* section and apply the change.
In Qubes 4.1, the entry in the Application menu is split into Disposable and Template (disp). The settings for the disposable can be changed under **Application Menu -> Template (disp) -> Template: Qubes Settings**
In Qubes 4.1, the entry in the Application menu is split into Disposable and Template (disp). The settings for the disposable can be changed under :menuselection:`Application Menu --> Template (disp) --> Template: Qubes Settings`
In Qubes 4.2, the qube will now appear in the menu as a disposable template (in the Apps section), from which you can launch new disposable qubes. To change the settings of the template itself or run programs in it, use the menu item for the disposable template located in the Templates section.
@ -35,9 +35,9 @@ How to create named disposables
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In Qubes 4.1: named disposables can be created under **Application Menu -> Create Qubes VM**, set the qube type to be *DisposableVM*.
In Qubes 4.1: named disposables can be created under :menuselection:`Application Menu --> Create Qubes VM`, set the qube type to be *DisposableVM*.
In Qubes 4.2: named disposables can be created by **Application Menu -> Settings -> Qubes Settings -> Create New Qube**. Set the qube type to **Named disposable**.
In Qubes 4.2: named disposables can be created by :menuselection:`Application Menu --> Settings --> Qubes Settings --> Create New Qube`. Set the qube type to **Named disposable**.
Security
--------
@ -123,7 +123,7 @@ Opening a fresh web browser instance in a new disposable
--------------------------------------------------------
Sometimes it is desirable to open an instance of Firefox within a new fresh disposable. This can be done easily using the app menu: just go to **Application Menu -> Disposable -> Disposable: Firefox web browser**. Wait a few seconds until a web browser starts. Once you close the viewing application the whole disposable will be destroyed.
Sometimes it is desirable to open an instance of Firefox within a new fresh disposable. This can be done easily using the app menu: just go to :menuselection:`Application Menu --> Disposable --> Disposable: Firefox web browser`. Wait a few seconds until a web browser starts. Once you close the viewing application the whole disposable will be destroyed.
.. figure:: /attachment/doc/r4.0-open-in-dispvm-3.png
:alt: r4.0-open-in-dispvm-3.png

2
user/security-in-qubes/ctap-proxy.rst
View file

@ -60,7 +60,7 @@ In dom0:
The above assumes a ``work`` qube in which you would like to enable ctap. Repeat the ``qvm-service`` command for all qubes that should have the client proxy enabled. Alternatively, you can add ``qubes-ctap-proxy`` in VM settings -> Services in the Qube Manager of each qube you would like to enable the service. Attempting to start the ``qubes-ctap-proxy`` service in the device-hosting qube (``sys-usb``) will fail.
The above assumes a ``work`` qube in which you would like to enable ctap. Repeat the ``qvm-service`` command for all qubes that should have the client proxy enabled. Alternatively, you can add ``qubes-ctap-proxy`` in :menuselection:`VM settings -> Services` in the Qube Manager of each qube you would like to enable the service. Attempting to start the ``qubes-ctap-proxy`` service in the device-hosting qube (``sys-usb``) will fail.
In Fedora templates:

2
user/templates/debian/debian.rst
View file

@ -3,7 +3,7 @@ Debian templates
================
The Debian :doc:`template </user/templates/templates>` is an officially :ref:`supported <user/downloading-installing-upgrading/supported-releases:templates>` template in Qubes OS. The Current version is Debian 12 (“bookworm”). It is available in 3 versions - ``debian-12``, a standard template; ``debian-12-xfce``, a larger template with more installed applications, selected for :doc:`Xfce </user/templates/xfce-templates>`; ``debian-12-minimal``. This page is about the “full” templates. For the minimal version, please see the :doc:`Minimal templates </user/templates/minimal-templates>` page.
The Debian :ref:`/user/reference/glossary:template` is an officially :ref:`supported <user/downloading-installing-upgrading/supported-releases:templates>` template in Qubes OS. The Current version is Debian |debian-version| (“|debian-codename|”). It is available in 3 versions - ``debian-12``, a standard template; ``debian-12-xfce``, a larger template with more installed applications, selected for :doc:`Xfce </user/templates/xfce-templates>`; ``debian-12-minimal``. This page is about the “full” templates. For the minimal version, please see the :doc:`Minimal templates </user/templates/minimal-templates>` page.
Installing
----------

58
user/troubleshooting/app-menu-shortcut-troubleshooting.rst
View file

@ -1,3 +1,5 @@
.. _app-menu-troubleshooting:
=================================
App menu shortcut troubleshooting
=================================
@ -7,6 +9,8 @@ For ease of use Qubes aggregates shortcuts to applications that are installed in
|image1|
.. _how-to-add-a-shortcut:
How-to add a shortcut
---------------------
@ -15,11 +19,11 @@ With the graphical user interface
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To make applications newly installed show up in the menu, you can use the qubes *Settings*. Under the *Applications* tab, use the *Refresh Applications* button. Linux qubes do this automatically, if the *Settings* are opened after the installation of the package.
To make applications newly installed show up in the menu, you can use the qubes *Settings*. Under the :guilabel:`Applications` tab, use the :guilabel:`Refresh Applications` button. Linux qubes do this automatically, if the *Settings* are opened after the installation of the package.
|image2|
After that, use the directional buttons (``>``, ``>>``, ``<`` or ``<<``) to customize which applications are shown, by moving them to the *Applications shown in App Menu* part (on the right side). Use the *Apply* (or *Ok*) button to see the changes in the app menu.
After that, use the directional buttons (:guilabel:`>`, :guilabel:`>>`, :guilabel:`<` or :guilabel:`<<`) to customize which applications are shown, by moving them to the *Applications shown in App Menu* part (on the right side). Use the :guilabel:`Apply` (or :guilabel:`Ok`) button to see the changes in the app menu.
With the command-line interface
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -29,16 +33,16 @@ To update the list of available applications, use the ``qvm-sync-appmenus`` comm
.. code:: console
$ qvm-sync-appmenus <QUBE_NAME>
[user@dom0] $ qvm-sync-appmenus <QUBE_NAME>
When using the *Refresh Applications* button in a qubes settings, the command ``qvm-sync-appmenus`` is used at least one time. When refreshing an AppVM application, it is also run against the template. So the console equivalent of clicking the *Refresh button* is the following (always in dom0):
When using the :guilabel:`Refresh Applications` button in a qubes settings, the command ``qvm-sync-appmenus`` is used at least one time. When refreshing an AppVM application, it is also run against the template. So the console equivalent of clicking the :guilabel:`Refresh Applications` button is the following (always in dom0):
.. code:: console
$ qvm-sync-appmenus <APPVM_NAME>
$ qvm-sync-appmenus <TEMPLATE_NAME>
[user@dom0] $ qvm-sync-appmenus <APPVM_NAME>
[user@dom0] $ qvm-sync-appmenus <TEMPLATE_NAME>
@ -46,7 +50,7 @@ In dom0, the ``qvm-appmenus`` tool allows the user to see the list of available
.. code:: console
$ qvm-appmenus --set-whitelist <FILE_PATH> <QUBE_NAME>
[user@dom0] $ qvm-appmenus --set-whitelist <FILE_PATH> <QUBE_NAME>
@ -76,7 +80,7 @@ You can manually create new entries in the “available applications” list of
1. Open a terminal window to the template.
2. Create a custom ``.desktop`` file in ``/usr/share/applications`` (you may need to first create the subdirectory). Look in ``/usr/share/applications`` for existing examples, or see the full `file specification <https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html>`__. It will be something like:
2. Create a custom ``.desktop`` file in :file:`/usr/share/applications` (you may need to first create the subdirectory). Look in :file:`/usr/share/applications` for existing examples, or see the full `.desktop file format <https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html>`__ specification. It will be something like:
.. code:: desktop
@ -87,7 +91,7 @@ You can manually create new entries in the “available applications” list of
3. Follow the instructions in `How-to add a shortcut <#how-to-add-a-shortcut>`__
3. Follow the instructions in :ref:`how-to-add-a-shortcut`
@ -95,9 +99,9 @@ If you only want to create a shortcut for a single app qube:
1. Open a terminal window to the template.
2. Create a custom ``.desktop`` file in either ``~/.local/share/applications`` or ``/usr/local/share/applications`` (you may need to first create the subdirectory). See the previous instructions about the desktop entry format.
2. Create a custom ``.desktop`` file in either :file:`~/.local/share/applications` or :file:`/usr/local/share/applications` (you may need to first create the subdirectory). See the previous instructions about the desktop entry format.
3. Follow the instructions in `How-to add a shortcut <#how-to-add-a-shortcut>`__
3. Follow the instructions in :ref:`how-to-add-a-shortcut`
@ -105,9 +109,9 @@ To add a custom menu entry instead:
1. Open a terminal window to Dom0.
2. Create a custom ``.desktop`` file in ``~/.local/share/applications``. Look in the same directory for existing examples, or see the full `file specification <https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html>`__. You may use ``qvm-run`` inside the ``.desktop`` file; see :ref:`Behind the scenes <user/troubleshooting/app-menu-shortcut-troubleshooting:behind the scenes>` for more details.
2. Create a custom ``.desktop`` file in :file:`~/.local/share/applications`. Look in the same directory for existing examples, or see the full `file specification <https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html>`__. You may use ``qvm-run`` inside the ``.desktop`` file; see :ref:`Behind the scenes <user/troubleshooting/app-menu-shortcut-troubleshooting:behind the scenes>` for more details.
3. Edit the ``~/.config/menus/applications-merged/<vmname>-vm.menu`` file for the app qube.
3. Edit the :file:`~/.config/menus/applications-merged/{<vmname>}-vm.menu` file for the app qube.
4. Add a custom menu entry referring to your newly created ``.desktop`` file.
@ -132,11 +136,11 @@ If you created a desktop entry but it doesnt show up, there are some steps to
1. make sure the name is a valid name (only ASCII letters, numbers, hyphens and point)
2. if this program is available, run ``desktop-file-validate <DESKTOP_FILE_PATH>``
2. if this program is available, run :samp:`desktop-file-validate {<DESKTOP_FILE_PATH>}`
3. run it through ``gtk-launch``
4. run ``/etc/qubes-rpc/qubes.GetAppmenus`` and check that your desktop entry is listed in the output
4. run :file:`/etc/qubes-rpc/qubes.GetAppmenus` and check that your desktop entry is listed in the output
@ -154,7 +158,7 @@ First, try this in dom0:
.. code:: console
$ qvm-appmenus --update --force <QUBE_NAME>
[user@dom0] $ qvm-appmenus --update --force <QUBE_NAME>
@ -162,19 +166,19 @@ You can also try:
.. code:: console
$ qvm-appmenus --remove <QUBE_NAME>
[user@dom0] $ qvm-appmenus --remove <QUBE_NAME>
If that doesnt work, you can manually modify the files in ``~/.local/share/applications/`` or in ``~/.local/share/qubes-appmenus/<QUBE_NAME>``.
If that doesnt work, you can manually modify the files in :file:`~/.local/share/applications/` or in :file:`~/.local/share/qubes-appmenus/{<QUBE_NAME>}`.
For example, suppose youve deleted ``my-old-vm``, but there is a leftover Application Menu shortcut, and you find a related file in ``~/.local/share/applications/``, try to delete it. The hyphens in the name of the qube are replaced by an underscore and the letter, so instead of looking for ``my-old-vm``, try ``my_dold_dvm``.
For example, suppose youve deleted ``my-old-vm``, but there is a leftover Application Menu shortcut, and you find a related file in :file:`~/.local/share/applications/`, try to delete it. The hyphens in the name of the qube are replaced by an underscore and the letter, so instead of looking for ``my-old-vm``, try ``my_dold_dvm``.
What if my application is shown in app menu, but doesn't run anything?
----------------------------------------------------------------------
First, check in the corresponding ``.desktop`` file in ``~/.local/share/qubes-appmenus/<QUBE_NAME>/``, inside dom0.
First, check in the corresponding ``.desktop`` file in :file:`~/.local/share/qubes-appmenus/{<QUBE_NAME>}/`, inside dom0.
The line starting with ``Exec=`` points out the exact command run by dom0 to start the application. It should be something like:
@ -188,7 +192,7 @@ Its possible to run the command to check the output, by copying this line wit
.. code:: console
$ /etc/qubes-rpc/qubes.StartApp <APPLICATION_NAME>
[user@any-qube] $ /etc/qubes-rpc/qubes.StartApp <APPLICATION_NAME>
@ -198,9 +202,9 @@ Behind the scenes
``qvm-sync-appmenus`` works by invoking the *GetAppMenus* :doc:`Qubes service </developer/services/qrexec>` in the target domain. This service enumerates applications installed in that qube and sends formatted info back to dom0 which creates ``.desktop`` files in the app qube/template directory of dom0.
For Linux qubes the service script is in ``/etc/qubes-rpc/qubes.GetAppMenus``. In Windows its a PowerShell script located in ``c:\Program Files\Invisible Things Lab\Qubes OS Windows Tools\qubes-rpc-services\get-appmenus.ps1`` by default.
For Linux qubes the service script is in :file:`/etc/qubes-rpc/qubes.GetAppMenus``. In Windows its a PowerShell script located in :file:`c:\Program Files\Invisible Things Lab\Qubes OS Windows Tools\qubes-rpc-services\get-appmenus.ps1` by default.
The list of installed applications for each app qube is stored in dom0s ``~/.local/share/qubes-appmenus/<QUBE_NAME>/apps.templates``. Each menu entry is a file that follows the `.desktop file format <https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html>`__ with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in ``~/.local/share/qubes-appmenus/<QUBE_NAME>/apps`` and in ``~/.local/share/applications/``.
The list of installed applications for each app qube is stored in dom0s :file:`~/.local/share/qubes-appmenus/{<QUBE_NAME>}/apps.templates`. Each menu entry is a file that follows the `.desktop file format <https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html>`__ with some wildcards (``%VMNAME%``, ``%VMDIR%``). Applications selected to appear in the menu are stored in :file:`~/.local/share/qubes-appmenus/{<QUBE_NAME>}/apps` and in :file:`~/.local/share/applications/`.
The whitelist given to ``qvm-appmenu --set-whitelist`` is stored as a feature called ``menu-items``, where each desktop entry is separated by a space.
@ -221,12 +225,12 @@ Note that you can create a shortcut that points to a ``.desktop`` file in your a
While this works well for standard applications, creating a menu entry for Windows applications running under *wine* may need an additional step in order to establish the necessary environment in *wine*. Installing software under *wine* will create the needed ``.desktop`` file in the target Linux qube in the directory ``~/.local/share/applications/wine/Programs/`` or a subdirectory thereof, depending on the Windows menu structure seen under *wine*. If the name of this file contains spaces, it will not be found, because the ``qvm-run`` command is falsely seen as terminating at this space. The solution is to remove these spaces by renaming the ``.desktop`` file accordingly, e.g. by renaming ``Microsoft Excel.desktop`` to ``Excel.desktop``. Refreshing the menu structure will then build working menu entries.
While this works well for standard applications, creating a menu entry for Windows applications running under *wine* may need an additional step in order to establish the necessary environment in *wine*. Installing software under *wine* will create the needed ``.desktop`` file in the target Linux qube in the directory :file:`~/.local/share/applications/wine/Programs/` or a subdirectory thereof, depending on the Windows menu structure seen under *wine*. If the name of this file contains spaces, it will not be found, because the ``qvm-run`` command is falsely seen as terminating at this space. The solution is to remove these spaces by renaming the ``.desktop`` file accordingly, e.g. by renaming :file:`Microsoft Excel.desktop` to :file:`Excel.desktop`. Refreshing the menu structure will then build working menu entries.
**Note:** Applications installed under *wine* are installed in AppVMs, not in the template on which these AppVMs are based, as the file structure used by *wine* is stored under ``~/.wine``, which is part of the persistent data of the AppVM and not inherited from its template.
.. note:: Applications installed under *wine* are installed in AppVMs, not in the template on which these AppVMs are based, as the file structure used by *wine* is stored under :file:`~/.wine`, which is part of the persistent data of the AppVM and not inherited from its template.
.. |image1| image:: /attachment/doc/r4.0-dom0-menu.png
.. |image2| image:: /attachment/doc/r4.0-dom0-appmenu-select.png