========== GUI domain ========== On this page, we describe how to set up a `GUI domain `__. In all the cases, the base underlying TemplateVM used is ``Fedora`` with ``XFCE`` flavor to match current desktop choice in ``dom0``. That can be adapted very easily for other desktops and templates. By default, the configured GUI domain is a management qube with global admin permissions ``rwx`` but can be adjusted to ``ro`` (see `Introducing the Qubes Admin API `__) in pillar data of the corresponding GUI domain to setup. For example, pillar data for ``sys-gui`` located at ``/srv/pillar/base/qvm/sys-gui.sls``. Please note that each GUI domain has no ``NetVM``. Note: The setup is done using ``SaltStack`` formulas with the ``qubesctl`` tool. When executing it, apply step can take time because it needs to download latest Fedora XFCE TemplateVM and install desktop dependencies. Hybrid GUI domain (``sys-gui``) ------------------------------- Here, we describe how to setup ``sys-gui`` that we call *hybrid mode* or referenced as a *compromise solution* in `GUI domain `__. |sys-gui| In ``dom0``, enable the formula for ``sys-gui`` with pillar data: .. code:: bash sudo qubesctl top.enable qvm.sys-gui sudo qubesctl top.enable qvm.sys-gui pillar=True then, execute it: .. code:: bash sudo qubesctl --all state.highstate You can now disable the ``sys-gui`` formula: .. code:: bash sudo qubesctl top.disable qvm.sys-gui At this point, you need to shutdown all your running qubes as the ``default_guivm`` qubes global property has been set to ``sys-gui``. In order to use ``sys-gui`` as GUI domain, you need to logout and, in the top right corner, select ``lightdm`` session type to **GUI domain (sys-gui)**. Once logged, you are running ``sys-gui`` as fullscreen window and you can perform any operation as if you would be in ``dom0`` desktop. Note: In order to go back to ``dom0`` desktop, you need to logout and then, select ``lightdm`` session to *Session Xfce*. GPU GUI domain (``sys-gui-gpu``) -------------------------------- Here, we describe how to setup ``sys-gui-gpu`` which is a GUI domain with *GPU passthrough* in `GUI domain `__. |sys-gui-gpu| In ``dom0``, enable the formula for ``sys-gui-gpu`` with pillar data: .. code:: bash sudo qubesctl top.enable qvm.sys-gui-gpu sudo qubesctl top.enable qvm.sys-gui-gpu pillar=True then, execute it: .. code:: bash sudo qubesctl --all state.highstate You can now disable the ``sys-gui-gpu`` formula: .. code:: bash sudo qubesctl top.disable qvm.sys-gui-gpu One more step is needed: attaching the actual GPU to ``sys-gui-gpu``. This can be done either manually via ``qvm-pci`` (remember to enable permissive option), or via: .. code:: bash sudo qubesctl state.sls qvm.sys-gui-gpu-attach-gpu The latter option assumes Intel graphics card (it has hardcoded PCI address). If you don’t have Intel graphics card, please use the former method with ``qvm-pci`` (see :doc:`How to use PCI devices `). Note: Some platforms can have multiple GPU. For example on laptops, it is usual to have HDMI or DISPLAY port linked to the secondary GPU (generally called *discrete GPU*). In such case, you have to also attach the secondary GPU to ``sys-gui-gpu`` with permissive option. At this point, you need to reboot your Qubes OS machine in order to boot into ``sys-gui-gpu``. Note: For some platforms, it can be sufficient to shutdown all the running qubes and starting ``sys-gui-gpu``. Unfortunately, it has been observed that detaching and attaching some GPU cards from ``dom0`` to ``sys-gui-gpu`` can freeze computer. We encourage reboot to prevent any data loss. Once, ``lightdm`` is started, you can log as ``user`` where ``user`` refers to the first ``dom0`` user in ``qubes`` group and with corresponding ``dom0`` password. A better approach for handling password is currently discussed in `QubesOS/qubes-issues#6740 `__. VNC GUI domain (``sys-gui-vnc``) -------------------------------- Here, we describe how to setup ``sys-gui-vnc`` that we call a *remote* GUI domain or referenced as *with a virtual server* in `GUI domain `__. |sys-gui-vnc| In ``dom0``, enable the formula for ``sys-gui-vnc`` with pillar data: .. code:: bash sudo qubesctl top.enable qvm.sys-gui-vnc sudo qubesctl top.enable qvm.sys-gui-vnc pillar=True then, execute it: .. code:: bash sudo qubesctl --all state.highstate You can now disable the ``sys-gui-vnc`` formula: .. code:: bash sudo qubesctl top.disable qvm.sys-gui-vnc At this point, you need to shutdown all your running qubes as the ``default_guivm`` qubes global property has been set to ``sys-gui-vnc``. Then, you can start ``sys-gui-vnc``: .. code:: bash qvm-start sys-gui-vnc A VNC server session is running on ``localhost:5900`` in ``sys-gui-vnc``. In order to reach the ``VNC`` server, we encourage to not connect ``sys-gui-vnc`` to a ``NetVM`` but rather to use another qube for remote access, say ``sys-remote``. First, you need to bind port 5900 of ``sys-gui-vnc`` into a ``sys-remote`` local port (you may want to use another port than 5900 to reach ``sys-remote`` from the outside). For that, use ``qubes.ConnectTCP`` RPC service (see :doc:`Firewall `. Then, you can use any ``VNC`` client to connect to you ``sys-remote`` on the chosen local port (5900 if you kept the default one). For the first connection, you will reach ``lightdm`` for which you can log as ``user`` where ``user`` refers to the first ``dom0`` user in ``qubes`` group and with corresponding ``dom0`` password. Note: ``lightdm`` session remains logged even if you disconnect your ``VNC`` client. Ensure to lock or log out before disconnecting your ``VNC`` client session. **WARNING**: This setup raises multiple security issues: 1) Anyone who can reach the ``VNC`` server, can take over the control of the Qubes OS machine, 2) A second client can connect even if a connection is already active and potentially get disconnected, 3) You can get disconnected by some unrelated network issues. Generally, if this ``VNC`` server is exposed to open network, it must be protected with some other (cryptographic) layer like ``VPN``. The setup as is, is useful only for purely testing machine. Troubleshooting --------------- Application menu lacks qubes entries in a fresh GUI domain ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ See `QubesOS/qubes-issues#5804 `__ Delete GUI domain ^^^^^^^^^^^^^^^^^ The following commands have to be run in ``dom0``. Note: For the case of ``sys-gui-gpu``, you need to prevent Qubes OS autostart of any qube to reach ``dom0``. For that, you need to boot Qubes OS with ``qubes.skip_autostart`` GRUB parameter. Set ``default_guivm`` as ``dom0``: .. code:: bash qubes-prefs default_guivm dom0 and for every selected qubes not using default value for GUI domain property, for example with a qube ``personal``: .. code:: bash qvm-prefs personal guivm dom0 You are now able to delete the GUI domain, for example ``sys-gui-gpu``: .. code:: bash qvm-remove -f sys-gui-gpu General issues ^^^^^^^^^^^^^^ For any general GUI domain issues, please take a loot at existing issues ``QubesOS/qubes-issues`` under `C: gui-domain `__ label. .. |sys-gui| image:: /attachment/posts/guivm-hybrid.png .. |sys-gui-gpu| image:: /attachment/posts/guivm-gpu.png .. |sys-gui-vnc| image:: /attachment/posts/guivm-vnc.png