======================= How to install software ======================= When you wish to install software in Qubes OS, you should generally install it in a :ref:`template `. For installing templates themselves, see :ref:`how to install a template `. Advanced users may also be interested in learning how to install software in :doc:`standalones ` and :doc:`dom0 `. Qubes OS is effectively a “meta” operating system (OS) that can run almost any arbitrary OS inside of itself. For example, the way software is normally installed in a Linux distribution (“distro”) is quite different from the way software is normally installed in Windows. This isn’t up to Qubes. Qubes is just the framework in which you’re running these other OSes. Therefore, if you want to install software in a Linux template, for example, you should do so in whatever way is normal for that Linux distro. Most Linux software is distributed via `packages `__, which are stored in `software repositories `__ (“repos”). `Package managers `__ handle downloading, installing, updating, and removing packages. (Again, none of this is Qubes-specific.) If you’re not familiar with how software is normally installed in Linux distros via package managers or the software you want doesn’t seem to be available in your distro’s repos (or you’re in another situation not covered on this page), please read this `community guide to installing software in Qubes `__. The following instructions explain how to permanently install new software in a template. There are different instructions for software from the default repositories and all other software. (If you’re not sure, try the default repositories first.) Installing software from default repositories --------------------------------------------- 1. Start the template. 2. Start either a terminal (e.g. ``gnome-terminal``) or a dedicated software management application, such as ``gpk-application``. 3. Install software as normally instructed inside that operating system, e.g.: - Fedora: ``sudo dnf install `` - Debian: ``sudo apt install `` 4. Shut down the template. 5. Restart all qubes based on the template. 6. (Recommended) In the relevant qubes’ **Settings > Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see :doc:`here ` for troubleshooting.) .. figure:: /attachment/doc/r4.1-dom0-appmenu-select.png :alt: `The Applications tab in Qube Settings `__ `The Applications tab in Qube Settings `__ Installing software from other sources -------------------------------------- **Warning:** This method gives your template direct network access, which is `risky <#why-dont-templates-have-network-access>`__. This method is **not** recommended for trusted templates. Moreover, depending on how you install this software, it may not get updated automatically when you :doc:`update Qubes normally `, which means you may have to update it manually yourself. Some software is not available from the default repositories and must be downloaded and installed from another source. This method assumes that you’re trying to follow the instructions to install some piece of software in a normal operating system, except that operating system is running as a template in Qubes OS. 1. (Recommended) Clone the desired template (since this new template will probably be less trusted than the original). 2. (Recommended) In the new template’s **Settings > Basic** tab, change the color label from black to red (or another color that signifies to you that the template is less trusted). 3. In the new template’s **Settings > Basic** tab, change the **Networking** value from ``default (none) (current)`` to ``sys-firewall`` (or whichever network-providing qube you wish to use). 4. (Recommended) In the new template’s **Settings > Firewall rules** tab, select “Limit outgoing Internet connections to…” and tick “Allow full access for 5 min.” (This can help in case you forget to remove network access later.) 5. Follow the normal instructions for installing your software in the new template. For example, open a terminal and enter the commands as instructed. **Warning:** If you don’t fully understand the commands you’re entering, then this can be extremely risky, and the template should be regarded as *completely untrusted*. 6. (Recommended) In the new template’s **Settings > Basic** tab, change the **Networking** value from ``sys-firewall (current)`` (or whichever network-providing qube you chose) back to ``default (none)``. 7. Shut down the new template. 8. Create or assign your desired app qubes to use the new template. If any app qubes were already assigned to the new template, restart them. 9. (Recommended) In the relevant qubes’ **Settings > Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see :doc:`here ` for troubleshooting.) .. figure:: /attachment/doc/r4.1-dom0-appmenu-select.png :alt: `The Applications tab in Qube Settings `__ `The Applications tab in Qube Settings `__ Troubleshooting --------------- If things are still not working as expected: - Review the instructions very carefully, making sure you follow each step. - Make sure you **shut down the template after installing your software**. - Make sure you **restart your app qube after shutting down your template**. - Make sure your app qube is assigned to the right template. - If your software requires special files or directories to be persistent, and you’re an advanced user, see :doc:`standalones and HVMs ` and :doc:`how to make any file persistent (bind-dirs) `. - :doc:`Ask for help. ` How to update software ---------------------- Please see :doc:`How to Update `. Why don't templates have network access? ---------------------------------------- In order to protect you from performing risky activities in templates, they do not have normal network access by default. Instead, templates use an `updates proxy <#updates-proxy>`__ that allows you to install and update software using the distribution package manager without giving the template direct network access. **The updates proxy is already setup to work automatically out-of-the-box and requires no special action from you.** Most users should simply follow the normal instructions for `installing software from default repositories <#installing-software-from-default-repositories>`__ and :doc:`updating ` software. If your software is not available in the default repositories, see `installing software from other sources <#installing-software-from-other-sources>`__. Advanced -------- The following sections cover advanced topics pertaining to installing and updating software in domUs. Testing repositories ^^^^^^^^^^^^^^^^^^^^ If you wish to install updates that are still in :doc:`testing `, you must enable the appropriate testing repositories. **Note:** The following repos are in templates and standalones. For dom0 testing repos, see :ref:`here `. For testing new templates, please see :ref:`here `. Fedora ^^^^^^ There are three Qubes VM testing repositories (where ``*`` denotes the Release): - ``qubes-vm-*-current-testing`` – testing packages that will eventually land in the stable (``current``) repository - ``qubes-vm-*-security-testing`` – a subset of ``qubes-vm-*-current-testing`` that contains packages that qualify as security fixes - ``qubes-vm-*-unstable`` – packages that are not intended to land in the stable (``qubes-vm-*-current``) repository; mostly experimental debugging packages To temporarily enable any of these repos, use the ``--enablerepo=`` option. Example commands: .. code:: bash sudo dnf upgrade --enablerepo=qubes-vm-*-current-testing sudo dnf upgrade --enablerepo=qubes-vm-*-security-testing sudo dnf upgrade --enablerepo=qubes-vm-*-unstable To enable or disable any of these repos permanently, change the corresponding ``enabled`` value to ``1`` in ``/etc/yum.repos.d/qubes-*.repo``. Debian ^^^^^^ Debian also has three Qubes VM testing repositories (where ``*`` denotes the Release): - ``*-testing`` – testing packages that will eventually land in the stable (``current``) repository - ``*-securitytesting`` – a subset of ``*-testing`` that contains packages that qualify as security fixes - ``*-unstable`` – packages that are not intended to land in the stable repository; mostly experimental debugging packages To enable or disable any of these repos permanently, uncomment the corresponding ``deb`` line in ``/etc/apt/sources.list.d/qubes-r*.list``. Standalones ^^^^^^^^^^^ The process for installing and updating software in :ref:`standalones ` is the same as described above for templates, except no qubes are based on standalones, so there are no other qubes to restart. RPMFusion for Fedora templates ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you would like to enable the `RPM Fusion `__ repositories, open a Terminal of the template and type the following commands, depending on which RPM Fusion repositories you wish to enable (see `RPM Fusion `__ for details): .. code:: bash sudo dnf config-manager --set-enabled rpmfusion-free sudo dnf config-manager --set-enabled rpmfusion-free-updates sudo dnf config-manager --set-enabled rpmfusion-nonfree sudo dnf config-manager --set-enabled rpmfusion-nonfree-updates sudo dnf upgrade --refresh This will permanently enable the RPM Fusion repos. If you install software from here, it’s important to keep these repos enabled so that you can receiving future updates. If you only enable these repos temporarily to install a package the Qubes update mechanism may persistently notify you that updates are available, since it cannot download them. Reverting changes to a template ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Perhaps you’ve just updated your template, and the update broke your template. Or perhaps you’ve made a terrible mistake, like accidentally confirming the installation of an unsigned package that could be malicious. If you want to undo changes to a template, there are three basic methods: 1. **Root revert.** This is appropriate for misconfigurations, but not for security concerns. It will preserve your customizations. 2. **Reinstall the template.** This is appropriate for both misconfigurations and security concerns, but you will lose all customizations. 3. **Full revert.** This is appropriate for both misconfigurations and security concerns, and it can preserve your customizations. However, it is a bit more complex. Root revert ^^^^^^^^^^^ **Important:** This command will roll back any changes made *during the last time the template was run, but* **not** *before.* This means that if you have already restarted the template, using this command is unlikely to help, and you’ll likely want to reinstall it from the repository instead. On the other hand, if the template is already broken or compromised, it won’t hurt to try reverting first. Just make sure to **back up** all of your data and changes first! 1. Shut down ``