merge with upstream

This commit is contained in:
Jeepler 2016-06-15 18:58:33 -05:00
commit 7000514f47
9 changed files with 150 additions and 76 deletions

View File

@ -90,9 +90,30 @@ You can re-install in a similar fashion to downgrading.
If you've installed a package such as anti-evil-maid, you can remove it with the following command:
~~~
sudo yum remove anti-evil-maid
~~~
### Testing repositories
There are three Qubes dom0 testing repoistories:
* `qubes-dom0-current-testing` -- testing packages that will eventually land in the stable
(`current`) repository
* `qubes-dom0-security-testing` -- a subset of `qubes-dom0-current-testing` that contains packages
that qualify as security fixes
* `qubes-dom0-unstable` -- packages that are not intended to land in the stable (`qubes-dom0-current`)
repository; mostly experimental debugging packages
To temporarily enable any of these repos, use the `--enablerepo=<repo-name>`
option. Example commands:
~~~
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable
~~~
To enable or disable any of these repos permanently, change the corresponding boolean in
`/etc/yum.repos.d/qubes-dom0.repo`.
### Kernel Upgrade ###

View File

@ -35,6 +35,30 @@ In order to permanently install new software, you should:
- You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their fielsystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You will restart others whenever this will be convenient to you.
Testing repositories
--------------------
There are three Qubes VM testing repoistories (where `*` denotes the Release):
* `qubes-vm-*-current-testing` -- testing packages that will eventually land in the stable
(`current`) repository
* `qubes-vm-*-security-testing` -- a subset of `qubes-vm-*-current-testing` that contains packages
that qualify as security fixes
* `qubes-vm-*-unstable` -- packages that are not intended to land in the stable (`qubes-vm-*-current`)
repository; mostly experimental debugging packages
To temporarily enable any of these repos, use the `--enablerepo=<repo-name>`
option. Example commands:
~~~
sudo dnf upgrade --enablerepo=qubes-vm-*-current-testing
sudo dnf upgrade --enablerepo=qubes-vm-*-security-testing
sudo dnf upgrade --enablerepo=qubes-vm-*-unstable
~~~
To enable or disable any of these repos permanently, change the corresponding boolean in
`/etc/yum.repos.d/qubes-*.repo`.
Reverting changes to a TemplateVM
---------------------------------

View File

@ -28,7 +28,7 @@ Qubes OS supports the ability to attach a USB drive (or just one or more of its
partitions) to any qube easily, no matter which qube actually handles the USB
controller. (The USB controller may be assigned on the **Devices** tab of a
qube's settings page in Qubes VM Manager or by using the
[qvm-pci][assigning-devices] command. For guidance on finding the correct USB
[qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
controller, see [here][usb-controller].)
USB drive mounting is integrated into the Qubes VM Manager GUI. Simply insert
@ -182,13 +182,25 @@ steps as root in dom0:
Alternatively, you can create a USB qube manually as follows:
1. In a dom0 terminal, type `lsusb` to check if you have a USB controller free
of input devices or programmable devices. If you find such free controller,
note its name and proceed to step 2.
1. Read the [Assigning Devices] page to learn how to list and identify your
USB controllers. Carefully check whether you have a USB controller that
would be appropriate to assign to a USB qube. Note that it should be free
of input devices, programmable devices, and any other devices that must be
directly available to dom0. If you find a free controller, note its name
and proceed to step 2.
2. Create a new qube. Give it an appropriate name and color label
(recommended: `sys-usb`, red).
3. In the qube's settings, go to the "Devices" tab. Find your USB controller
in the "Available" list. Move it to the "Selected" list.
(recommended: `sys-usb`, red). If you need to attach a networking device,
it might make sense to create a NetVM. If not, an AppVM might make more
sense. (The default `sys-usb` is a NetVM.)
3. In the qube's settings, go to the "Devices" tab. Find the USB controller
that you identified in step 1 in the "Available" list. Move it to the
"Selected" list.
**Caution:** By assigning a USB controller to a USB qube, it will no longer
be available to dom0. This can make your system unusable if, for example,
you have only one USB controller, and you are running Qubes off of a USB
drive.
4. Click "OK." Restart the qube.
5. Recommended: Check the box on the "Basic" tab which says "Start VM
automatically on boot." (This will help to mitigate attacks in which
@ -242,7 +254,7 @@ You can now use your USB keyboard.
[mass-storage]: https://en.wikipedia.org/wiki/USB_mass_storage_device_class
[devices]: /doc/assigning-devices/
[Assigning Devices]: /doc/assigning-devices/
[usb-controller]: /doc/assigning-devices/#finding-the-right-usb-controller
[623]: https://github.com/QubesOS/qubes-issues/issues/623
[1072-comm1]: https://github.com/QubesOS/qubes-issues/issues/1072#issuecomment-124270051

1
doc.md
View File

@ -63,6 +63,7 @@ Managing Operating Systems within Qubes
* [Templates: Archlinux](/doc/templates/archlinux/)
* [Templates: Ubuntu](/doc/templates/ubuntu/)
* [Templates: Whonix](/doc/whonix/)
* [How to Reinstall a TemplateVM](/doc/reinstall-template)
* [Pentesting: BlackArch](/doc/pentesting/blackarch/)
* [Pentesting: Kali](/doc/pentesting/kali/)
* [Pentesting: PTF](/doc/pentesting/ptf/)

View File

@ -16,8 +16,8 @@ can continue to improve it.
Introduction
------------
We have faced several challenges when making this Live USB edition of Qubes OS,
which traditional Linux distros don't have to bother with:
When making this Live USB edition of Qubes OS, we faced several challenges which
traditional Linux distros don't have to bother with:
1. We needed to ensure Xen is properly started when booting the stick. In fact
we still don't support UEFI boot for the stick for this reason, even though
@ -39,20 +39,20 @@ few tens of MBs per VM, sometimes even more. Also, each VM's private
image, which essentially holds just the user home directory, typically starts
with a few tens of MBs for an "empty VM". Now, while these represent rather
insignificant numbers on a disk-basked system, in the case of a live USB all
these files must be stored in RAM, which is a scare resource on any OS, but
these files must be stored in RAM, which is a scarce resource on any OS, but
especially on Qubes.
We have implemented some quick optimizations in order to minimize the above
problem, but this is still far from a proper solution. We're planning to work
more on this next.
Now, there are three directions in how we want to work further on this Qubes
There are three directions in which we want to do further work on this Qubes
Live USB variant:
1. Introduce an easy, clickable "install to disk" option, merging this with the
Qubes installation ISO. So, e.g. make it possible to first see if the given
hardware is compatible with Qubes (run the HCL reporting tool) and only then
install on the main disk. Also, ensure UEFI boot works well.
hardware is compatible with Qubes (by running the HCL reporting tool) and
only then install on the main disk. Also, ensure UEFI boot works well.
2. Introduce options for persistence while still running this out of a USB
stick. This would be achieved by allowing (select) VMs' private images to be
@ -90,10 +90,10 @@ expectations accordingly.)
from a large Qubes backup blob.
5. It's easy to generate Out Of Memory (OOM) in Dom0 by creating lots of VMs
which are writing a lot into the VMs filesystem.
6. There is no DispVM savefile, so if one starts one the savefile must be
regenerated which takes about 1-2 minutes.
7. UEFI boot doesn't work, and if you try booting it via UEFI Xen will not be
started, rendering the whole experiment unusable.
6. There is no DispVM savefile, so if you start a DispVM the savefile must be
regenerated, which takes about 1-2 minutes.
7. UEFI boot doesn't work, and if you try booting Qubes Live USB via UEFI, Xen
will not be started, rendering the whole experiment unusable.
Downloading and burning

View File

@ -0,0 +1,70 @@
---
layout: doc
title: How to Reinstall a TemplateVM
permalink: /doc/reinstall-template/
redirect_from:
- /doc/whonix/reinstall/
---
How to Reinstall a TemplateVM
=============================
If you suspect your [TemplateVM] is broken, misconfigured, or compromised,
or if you wish to do a clean reinstall in order to upgrade to a new version, you
can reinstall any TemplateVM from the Qubes repository. In what follows, the
phrase "target TemplateVM" refers to whichever TemplateVM you want to reinsatll.
If you want to reinstall more than one TemplateVM, repeat these instructions for
each one.
1. (Optional) Clone the existing target TemplateVM.
This can be a good idea if you've customized the existing template and want
to keep your customizations. On the other hand, if you suspect that this
template is broken, misconfigured, or compromised, you may want to remove it
without cloning it.
2. Create a temporary dummy template:
mkdir /var/lib/qubes/vm-templates/dummy
touch /var/lib/qubes/vm-templates/dummy/{root.img,private.img}
qvm-add-template dummy
3. Temporarily change all VMs based on the target TemplateVM to the new dummy
template, or remove them.
This can be a good idea if you have user data in these VMs that you want to
keep. On the other hand, if you suspect that these VMs (or the templates on
which they are based) are broken, misconfigured, or compromised, you may
want to remove them instead. You can do this in Qubes Manager by
right-clicking on the VM and clicking **Remove VM**, or you can use the
command `qvm-remove <vm-name>` in dom0.
Using a dummy template as a temporary template is preferable to using another
real TemplateVM because you can't accidentally boot any VMs from the dummy
template. (There is no OS in the dummy template, so the boot will fail.)
4. Uninstall the target TemplateVM from dom0:
$ sudo yum remove <template-package-name>
For example, to uninstall the `whonix-gw` template:
$ sudo yum remove qubes-template-whonix-gw
5. Reinstall the target TemplateVM in dom0:
$ sudo qubes-dom0-update --enablerepo=<optional-additional-repo> \
<template-package-name>
For example, to install the `whonix-gw` template:
$ sudo qubes-dom0-update --enablerepo=qubes-templates-community \
qubes-template-whonix-gw
6. If you temporarily changed all VMs based on the target TemplateVM to the
dummy template in step 3, change them back to the new target TemplateVM now.
If you instead removed all VMs based on the old target TemplateVM, you can
recreate your desired VMs from the newly reinstalled target TemplateVM now.
[TemplateVM]: /doc/templates/

View File

@ -27,6 +27,7 @@ available only as source code, which can be built using
are available in source code form only. Take a look at the [Qubes Builder
documentation](/doc/qubes-builder/) for instructions on how to compile them.
To reinstall a currently installed TemplateVM, see [here](/doc/reinstall-template/).
ITL Supported templates
-----------------------

View File

@ -1,54 +0,0 @@
---
layout: doc
title: Reinstall Whonix in Qubes
permalink: /doc/whonix/reinstall/
---
Reinstall Whonix in Qubes
===========================
If you suspect your Whonix templates are broken, misconfigured, or compromised,
or if you wish to do a clean reinstall in order to upgrade to a new version, you
can reinstall the Whonix templates from the Qubes repository. This procedure
involves [uninstalling] your Whonix templates, then [installing] them again.
1. (Optional) Clone your existing `whonix-gw` and `whonix-ws` templates.
This can be a good idea if you've customized the existing templates and want
to keep them. On the other hand, if you suspect that these templates are
broken, misconfigured, or compromised, you may want to remove them
without cloning them.
2. (Optional) Temporarily change all VMs based on `whonix-gw` and `whonix-ws` to
another template (e.g., the ones created in the previous step).
This can be a good idea if you have user data in these VMs that you want to
keep. On the other hand, if you suspect that these VMs (or the templates on
which they are based) are broken, misconfigured, or compromised, you may
want to remove them instead. You can do this in Qubes Manager by
right-clicking on the VM and clicking **Remove VM**, or you can use the
command `qvm-remove <vm-name>` in dom0.
3. Uninstall the Whonix templates from dom0:
$ sudo yum remove qubes-template-whonix-gw
$ sudo yum remove qubes-template-whonix-ws
4. Reinstall the Whonix templates in dom0:
$ sudo qubes-dom0-update --enablerepo=qubes-templates-community \
qubes-template-whonix-gw qubes-template-whonix-ws
5. If you followed step 2, change the VMs from step 2 back to the new
`whonix-gw` and `whonix-ws`. If you instead removed all VMs based on the old
`whonix-gw` and `whonix-ws`, simply create your desired VMs from the new
templates.
At a minimum, you'll want a ProxyVM (conventionally called `sys-whonix`)
based on `whonix-gw` and an AppVM based on `whonix-ws` that uses `sys-whonix`
as its NetVM.
[uninstalling]: /doc/whonix/uninstall/
[installing]: /doc/whonix/install/

View File

@ -32,7 +32,6 @@ To install Whonix, you must have a working Qubes machine already.
## Customizing, Reinstalling, & Uninstalling Whonix
* [Customizing Whonix](/doc/whonix/customize/)
* [Reinstall Whonix in Qubes](/doc/whonix/reinstall/)
* [Uninstall Whonix from Qubes](/doc/whonix/uninstall/)
*The following links are on Whonix's website and are technical.*