diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md index 2f04d888..06f49226 100644 --- a/common-tasks/software-update-vm.md +++ b/common-tasks/software-update-vm.md @@ -14,15 +14,20 @@ Installing and updating software in VMs How TemplateVMs work in Qubes ------------------------------ -Most of the AppVMs (domains) are based on a *TemplateVM*, which means that their root filesystem (i.e. all the programs and system files) is based on the root filesystem of the corresponding template VM. This dramatically saves disk space, because each new AppVM needs disk space only for storing the user's files (i.e. the home directory). Of course the AppVM has only read-access to the template's filesystem -- it cannot modify it in any way. +Most of the AppVMs (domains) are based on a *TemplateVM*, which means that their root filesystem (i.e. all the programs and system files) is based on the root filesystem of the corresponding template VM. +This dramatically saves disk space, because each new AppVM needs disk space only for storing the user's files (i.e. the home directory). +Of course the AppVM has only read-access to the template's filesystem -- it cannot modify it in any way. -In addition to saving on the disk space, and reducing domain creation time, another advantage of such scheme is the possibility for centralized software update. It's just enough to do the update in the template VM, and then all the AppVMs based on this template get updates automatically after they are restarted. +In addition to saving on the disk space, and reducing domain creation time, another advantage of such scheme is the possibility for centralized software update. +It's just enough to do the update in the template VM, and then all the AppVMs based on this template get updates automatically after they are restarted. The default template is called **fedora-23** in Qubes R3.2 and **fedora-26** in Qubes R4.0. -The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home`, `/usr/local`, or `/rw` then it will disappear after the AppVM reboots (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally installs software in the TemplateVM, not in AppVMs.** +The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home`, `/usr/local`, or `/rw` then it will disappear after the AppVM reboots (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). +**This means one normally installs software in the TemplateVM, not in AppVMs.** -Unlike VM private filesystems, under R3.x the template VM root filesystem does not support discard by default, so deleting files does not free the space in dom0. See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0. +Unlike VM private filesystems, under R3.x the template VM root filesystem does not support discard by default, so deleting files does not free the space in dom0. +See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0. In R4.0 and higher, the template root filesystem is created in a thin pool so manual trims are no longer needed. @@ -35,9 +40,13 @@ In order to permanently install new software, you should: - Start the template VM and then start either console (e.g. `gnome-terminal`) or dedicated software management application, such as `gpk-application` (*Start-\>Applications-\>Template: fedora-XX-\>Add/Remove software*), -- Install/update software as usual (e.g. using dnf, or the dedicated GUI application). Then, shutdown the template VM, +- Install/update software as usual (e.g. using dnf, or the dedicated GUI application). + Then, shutdown the template VM. -- You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You can restart others whenever this will be convenient to you. +- You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. + This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. + You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. + You can restart others whenever this will be convenient to you. Testing repositories -------------------- @@ -46,15 +55,12 @@ Testing repositories There are three Qubes VM testing repositories (where `*` denotes the Release): -* `qubes-vm-*-current-testing` -- testing packages that will eventually land in the stable - (`current`) repository -* `qubes-vm-*-security-testing` -- a subset of `qubes-vm-*-current-testing` that contains packages - that qualify as security fixes -* `qubes-vm-*-unstable` -- packages that are not intended to land in the stable (`qubes-vm-*-current`) - repository; mostly experimental debugging packages +* `qubes-vm-*-current-testing` -- testing packages that will eventually land in the stable (`current`) repository +* `qubes-vm-*-security-testing` -- a subset of `qubes-vm-*-current-testing` that contains packages that qualify as security fixes +* `qubes-vm-*-unstable` -- packages that are not intended to land in the stable (`qubes-vm-*-current`) repository; mostly experimental debugging packages -To temporarily enable any of these repos, use the `--enablerepo=` -option. Example commands: +To temporarily enable any of these repos, use the `--enablerepo=` option. +Example commands: ~~~ sudo dnf upgrade --enablerepo=qubes-vm-*-current-testing @@ -62,50 +68,42 @@ sudo dnf upgrade --enablerepo=qubes-vm-*-security-testing sudo dnf upgrade --enablerepo=qubes-vm-*-unstable ~~~ -To enable or disable any of these repos permanently, change the corresponding boolean in -`/etc/yum.repos.d/qubes-*.repo`. +To enable or disable any of these repos permanently, change the corresponding boolean in `/etc/yum.repos.d/qubes-*.repo`. ### Debian ### Debian also has three Qubes VM testing repositories (where `*` denotes the Release): -* `*-testing` -- testing packages that will eventually land in the stable - (`current`) repository -* `*-securitytesting` -- a subset of `*-testing` that contains packages - that qualify as security fixes -* `*-unstable` -- packages that are not intended to land in the stable - repository; mostly experimental debugging packages +* `*-testing` -- testing packages that will eventually land in the stable (`current`) repository +* `*-securitytesting` -- a subset of `*-testing` that contains packages that qualify as security fixes +* `*-unstable` -- packages that are not intended to land in the stable repository; mostly experimental debugging packages -To enable or disable any of these repos permanently, uncomment the corresponding `deb` line in -`/etc/apt/sources.list.d/qubes-r*.list` +To enable or disable any of these repos permanently, uncomment the corresponding `deb` line in `/etc/apt/sources.list.d/qubes-r*.list` Reverting changes to a TemplateVM (R4.0) --------------------------------- -TBD- Qubes 4.0 uses a CoW system that permits snapshotting. To revert changes, one would... +Qubes 4.0 uses a CoW system that permits snapshotting. +Reversion functionality is still being developed at the time of writing. +See [issue #3256](https://github.com/QubesOS/qubes-issues/issues/3256) for details. Reverting changes to a TemplateVM (R3.2) --------------------------------- Perhaps you've just updated your TemplateVM, and the update broke your template. -Or perhaps you've made a terrible mistake, like accidentally confirming the -installation of an unsigned package that could be malicious. Fortunately, -it's easy to revert changes to TemplateVMs using the -`qvm-revert-template-changes` command. +Or perhaps you've made a terrible mistake, like accidentally confirming the installation of an unsigned package that could be malicious. +Fortunately, it's easy to revert changes to TemplateVMs using the `qvm-revert-template-changes` command. -**Important:** This command will roll back any changes made *during the last -time the TemplateVM was run, but **not** before.* This means that if you have -already restarted the TemplateVM, using this command is unlikely to help, and -you'll likely want to reinstall it from the repository instead. On the other -hand, if the template is already broken or compromised, it won't hurt to try -reverting first. Just make sure to **back up** all of your data and changes -first! +**Important:** This command will roll back any changes made *during the last time the TemplateVM was run, but **not** before.* +This means that if you have already restarted the TemplateVM, using this command is unlikely to help, and you'll likely want to reinstall it from the repository instead. +On the other hand, if the template is already broken or compromised, it won't hurt to try reverting first. +Just make sure to **back up** all of your data and changes first! For example, to revert changes to the `fedora-23` TemplateVM: 1. Shut down all VMs based on `fedora-23`. -2. Shut down `fedora-23`. If you've already just shut it down, do **not** start - it again (see above). +2. Shut down `fedora-23`. + If you've already just shut it down, do **not** start it again (see above). 3. In a dom0 terminal, type: qvm-revert-template-changes fedora-23 @@ -114,17 +112,19 @@ For example, to revert changes to the `fedora-23` TemplateVM: qvm-revert-template-changes --force fedora-23 -For the technical details about how this command works and the steps it -performs, see [here](/doc/template-implementation/#rollback-template-changes). +For the technical details about how this command works and the steps it performs, see [here](/doc/template-implementation/#rollback-template-changes). Notes on trusting your TemplateVM(s) ------------------------------------- -As the TemplateVM is used for creating filesystems for other AppVMs, where you actually do the work, it means that the TemplateVM is as trusted as the most trusted AppVM based on this template. In other words, if your template VM gets compromised, e.g. because you installed an application, whose *installer's scripts* were malicious, then *all* your AppVMs (based on this template) will inherit this compromise. +As the TemplateVM is used for creating filesystems for other AppVMs where you actually do the work, it means that the TemplateVM is as trusted as the most trusted AppVM based on this template. +In other words, if your template VM gets compromised, e.g. because you installed an application, whose *installer's scripts* were malicious, then *all* your AppVMs (based on this template) will inherit this compromise. There are several ways to deal with this problem: -- Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos. +- Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. + All those packages are signed by Fedora, and we expect that at least the package's installation scripts are not malicious. + This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos. - Use *standalone VMs* (see below) for installation of untrusted software packages. @@ -132,28 +132,43 @@ There are several ways to deal with this problem: Some popular questions: -- So, why should we actually trust Fedora repos -- it also contains large amount of third-party software that might buggy, right? +- So, why should we actually trust Fedora repos -- it also contains large amount of third-party software that might be buggy, right? -As far as the template's compromise is concerned, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise. +As far as the template's compromise is concerned, it doesn't really matter whether `/usr/bin/firefox` is buggy and can be exploited, or not. +What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. +Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run `/usr/bin/firefox` and get infected from it, in case it was compromised. +Also, some of your more trusted AppVMs would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial `/usr/bin/firefox` being potentially buggy and easy to compromise. - But why trust Fedora? -Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter. +Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). +We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. +We had to trust *somebody* as we are unable to write all the software from scratch ourselves. +But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. +We certainly do not assume the latter. - So, are the template VMs as trusted as Dom0? -Not quite. Dom0 compromise is absolutely fatal, and it leads to Game OverTM. However, a compromise of a template affects only a subset of all your AppVMs (in case you use more than one template, or also some standalone VMs). Also, if your AppVMs are network disconnected, even though their filesystems might get compromised due to the corresponding template compromise, it still would be difficult for the attacker to actually leak out the data stolen in an AppVM. Not impossible (due to existence of cover channels between VMs on x86 architecture), but difficult and slow. +Not quite. +Dom0 compromise is absolutely fatal, and it leads to Game OverTM. +However, a compromise of a template affects only a subset of all your AppVMs (in case you use more than one template, or also some standalone VMs). +Also, if your AppVMs are network disconnected, even though their filesystems might get compromised due to the corresponding template compromise, it still would be difficult for the attacker to actually leak out the data stolen in an AppVM. +Not impossible (due to existence of cover channels between VMs on x86 architecture), but difficult and slow. Standalone VMs -------------- -Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on their own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them. +Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on their own. +But this means that they take a few GBs on disk, and also that centralized updates do not apply to them. -Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.: +Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. +Such situations include e.g.: - VMs used for development (devel environments require a lot of \*-devel packages and specific devel tools) -- VMs used for installing untrusted packages. Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts). However, when you would like to install some packages from less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way. +- VMs used for installing untrusted packages. + Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts). + However, when you would like to install some packages from less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way. In order to create a standalone VM you can use a command line like this (from console in Dom0): @@ -166,9 +181,14 @@ qvm-create --standalone --label