f933523e10
- Update to Fedora 41; - Change default Fedora template to Xfce variant; - Enforce Fedora based formulas to depend on a chain that always has the correct management disposable set. For 'qubes-builder,' it requires 'mgmt', which requires 'fedora-minimal', which requires 'fedora-xfce'; - Cleanup salt patch necessary on version 39 and 40. - Update base templates when stale before being cloned to derivative templates. - Remove non-essential bootstrap formulas from requirements. Dom0 was never required, but very recommended, templates were required because it was best to update them on their formula before generating outdated clones of it. Fix: https://github.com/ben-grande/qusal/issues/108 Fix: https://github.com/ben-grande/qusal/issues/57
sys-gui-vnc
VNC GUI domain in Qubes OS.
Table of Contents
Description
Setup a VNC GUI domain named "sys-gui-vnc". The qube spawns a VNC server and you can connect from other qubes to it. It is primarily intended for remote administration.
Installation
WARNING: unfinished formula.
- Top:
sudo qubesctl top.enable qvm.sys-gui-vnc pillar=True
sudo qubesctl top.enable mgmt sys-gui-vnc
sudo qubesctl --targets=tpl-mgmt state.apply
sudo qubesctl state.apply sys-gui.prefs-mgmt
sudo qubesctl --targets=tpl-sys-gui,sys-gui-vnc state.apply
sudo qubesctl top.disable sys-gui-vnc
sudo qubesctl state.apply sys-gui-vnc.prefs
- State:
sudo qubesctl top.enable qvm.sys-gui-vnc pillar=True
sudo qubesctl state.apply sys-gui-vnc.create
sudo qubesctl --skip-dom0 --targets=tpl-mgmt state.apply mgmt.install
sudo qubesctl state.apply sys-gui.prefs-mgmt
sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui-vnc.install
sudo qubesctl --skip-dom0 --targets=sys-gui-vnc state.apply sys-gui-vnc.configure
sudo qubesctl state.apply sys-gui-vnc.prefs
Shutdown all your running qubes as the global property default_guivm has
changed to sys-gui-vnc.
Access control
Default policy: any qube is denied to connected to any other qube.
Allow qube sys-remote to connect sys-gui-vnc on port 5900:
qubes.ConnectTCP +5900 sys-remote @default allow target=sys-gui-vnc
qubes.ConnectTCP * sys-remote @anyvm deny
Usage
Qubes that have their guivm preference set to sys-gui-vnc, will use it as
the GUI domain.
It unnecessary to have a netvm set for the VNC client qube for testing, but
it is necessary to make the VNC server accessible from remote computers. If
you plan to expose sys-gui-vnc to the network, it must have another
authenticated transport such as a VPN or VNC over SSH.
From a trusted qube that has a VNC client installed, such as
remmina, bind the port 6000 to the port 5900
listening on sys-gui-vnc:
qvm-connnect-tcp 6000::5900
On the VNC client application, set connection protocol to VNC and host to
127.0.0.1:6000.
The login credentials are the same used in dom0, the first user in the
qubes group and the corresponding password.
Uninstallation
Set Global preference default_guivm to dom0 and disable autostart of
sys-gui-vnc:
sudo qubesctl state.apply sys-gui-vnc.cancel
You must also revert exposing the VNC server to other qubes and remote hosts:
- Delete or deny calls to Qrexec policy rules allowing qubes to connect with
qubes.ConnectTCPtosys-gui-vnc; and - Close firewall ports and disable services that expose the VNC client qube to external hosts.