qubes-doc/user/advanced-topics/config-files.md
Marek Marczykowski-Górecki 3806ecf338
Remove extra newlines at the beginning/end of files
Those are redundant, and yaml parser strips them in fact. By removing
them, loading and saving yaml file without any change indeed produce the
same output. This is useful for prepare_for_translation.py script (which
adds lang and ref tags) - to produce only change that indeed was made.
2021-06-24 16:07:23 +02:00

5.8 KiB

lang layout permalink redirect_from ref title
en doc /doc/config-files/
/en/doc/config-files/
/doc/ConfigFiles/
/doc/UserDoc/ConfigFiles/
/wiki/UserDoc/ConfigFiles/
180 Config Files

Qubes-specific VM config files

These files are placed in /rw, which survives a VM restart. That way, they can be used to customize a single VM instead of all VMs based on the same template. The scripts here all run as root.

  • /rw/config/rc.local - script runs at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config, etc. Example usage:

    # Store bluetooth keys in /rw to keep them across VM restarts
    rm -rf /var/lib/bluetooth
    ln -s /rw/config/var-lib-bluetooth /var/lib/bluetooth
    
    # Add entry to /etc/hosts
    echo '127.0.0.1 example.com' >> /etc/hosts
    
  • /rw/config/qubes-ip-change-hook - script runs in NetVM after every external IP change and on "hardware" link status change.

  • In ProxyVMs (or app qubes with qubes-firewall service enabled), scripts placed in the following directories will be executed in the listed order followed by qubes-firewall-user-script at start up. Good place to write custom firewall rules.

    /etc/qubes/qubes-firewall.d
    /rw/config/qubes-firewall.d
    /rw/config/qubes-firewall-user-script
    
  • /rw/config/suspend-module-blacklist - list of modules (one per line) to be unloaded before system goes to sleep. The file is used only in a VM with PCI devices attached. Intended for use with problematic device drivers.

  • In NetVMs/ProxyVMs, scripts placed in /rw/config/network-hooks.d will be ran when configuring Qubes interfaces. For each script, the command, vif, vif_type and ip is passed as arguments (see /etc/xen/scripts/vif-route-qubes). For example, consider a PV app qube work with IP 10.137.0.100 and sys-firewall as NetVM. Assuming it's Xen domain id is arbitrary 12 then, the following script located at /rw/config/network-hooks.d/hook-100.sh in sys-firewall:

    #!/bin/bash
    
    command="$1"
    vif="$2"
    vif_type="$3"
    ip="$4"
    
    if [ "$ip" == '10.137.0.100' ]; then
        case "$command" in
            online)
                ip route add 192.168.0.100 via 10.137.0.100
                ;;
            offline)
                ip route del 192.168.0.100
                ;;
        esac
    fi
    

    will be executed with arguments online vif12.0 vif 10.137.0.100 when starting work. Please note that in case of an HVM, the script will be called twice - once with vif_type vif, then with vif_type vif_ioemu (and different interface names). As long as the ioemu interface exists, it should be preferred (up to the hook script). When the VM decides to use a PV interface (vif_type vif), the ioemu one will be unplugged.

Note that scripts need to be executable (chmod +x) to be used.

Also, take a look at bind-dirs for instructions on how to easily modify arbitrary system files in an app qube and have those changes persist.

GUI and audio configuration in dom0

The GUI configuration file /etc/qubes/guid.conf in one of a few not managed by qubes-prefs or the Qubes Manager tool. Sample config (included in default installation):

# Sample configuration file for Qubes GUI daemon
#  For syntax go https://www.hyperrealm.com/libconfig/libconfig_manual.html

global: {
  # default values
  #allow_fullscreen = false;
  #override_redirect_protection = true;
  #allow_utf8_titles = false;
  #secure_copy_sequence = "Ctrl-Shift-c";
  #secure_paste_sequence = "Ctrl-Shift-v";
  #windows_count_limit = 500;
  #audio_low_latency = true;
  #log_level = 1;
  #trayicon_mode = "border1";
  #startup_timeout = 45;
};

# most of setting can be set per-VM basis

VM: {
  work: {
    allow_utf8_titles = true;
  };
  video-vm: {
    allow_fullscreen = true;
  };
};

Currently supported settings:

  • allow_fullscreen - allow VM to request its windows to go fullscreen (without any colorful frame).

    Note: Regardless of this setting, you can always put a window into fullscreen mode in Xfce4 using the trusted window manager by right-clicking on a window's title bar and selecting "Fullscreen". This functionality should still be considered safe, since a VM window still can't voluntarily enter fullscreen mode. The user must select this option from the trusted window manager in dom0. To exit fullscreen mode from here, press alt + space to bring up the title bar menu again, then select "Leave Fullscreen".

  • allow_utf8_titles - allow the use of UTF-8 in window titles; otherwise, non-ASCII characters are replaced by an underscore.

  • secure_copy_sequence and secure_paste_sequence - key sequences used to trigger secure copy and paste.

  • audio_low_latency - force low-latency audio mode (about 40ms compared to 200-500ms by default). Note that this will cause much higher CPU usage in dom0. It's enabled by default, disabling it may save CPU in dom0.

  • trayicon_mode - defines the trayicon coloring mode. Options are - bg - color full icon background to the VM color - border1 - add 1px border at the icon edges - border2 - add 1px border 1px from the icon edges - tint - tinttint icon to the VM color, can be used with additional modifiers (you can enable multiple of them) - tint+border1,tint+border2 - same as tint, but also add a border - tint+saturation50 - same as tint, but reduce icon saturation by 50% - tint+whitehack - same as tint, but change white pixels (0xffffff) to almost-white (0xfefefe)

  • log level - defines the log options logs can take. It can have a value of 0 (only errors), 1 (some basic messages), and 2 (debug).

  • startup_timeout - The timeout for startup.