Advanced Qubes Installation (light installer / 4Kn Debian Template / Detached header / Encrypted Boot / Dom0 & DispVM in tmpfs)

I’ve decided to write some of the setup I use.

The layout would contains :

  1. Building light qubes os installer and 4Kn debian template.
  2. Detached header and encrypted boot.
  3. Setting up dom0 and vm.
  4. Running dom0 and DispVM in tmpfs.

In this thread it would only talking about building light qubes (dom0 only) and
make a 4Kn debian template.

What you need is :
Fedora AppVM to run qubes-builder, you can use fc34 / fc35.
2 or more vcpu, 6gb or more ram
30gb private storage.

Every command below is issued in your builder vm.

How to :
-Qubes Key

gpg2 --import /usr/share/qubes/qubes-master-key.asc
gpg2 --edit-key qubes
trust
5
q
wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc
gpg2 --import qubes-developers-keys.asc

-Qubes Builder

git clone https://github.com/QubesOS/qubes-builder.git qubes-builder
cd qubes-builder
git tag -v git describe # add ` between git describe
cat >>builder.conf<< EOF

# vim: ft=make

VERBOSE ?= 2

BACKEND_VMM ?= xen

GIT_BASEURL ?= https://github.com
GIT_PREFIX ?= QubesOS/qubes-

RELEASE ?= 4.1

DIST_DOM0 ?= fc32
DISTS_VM ?= bullseye+minimal

COMPONENTS = \
    installer-qubes-os \
    linux-yum \
    builder-rpm \
    builder-debian \
    linux-template-builder 

BUILDER_PLUGINS ?= builder-rpm builder-debian

USE_QUBES_REPO_VERSION = 4.1
USE_QUBES_REPO_TESTING = 1
ISO_USE_KERNEL_LATEST = 1
ISO_VERSION = 5111341

INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/travis-iso-full.ks
EOF

make get-sources
make install-deps

-Delete fedora, whonix, and debian build

sed -i ‘/@whonix/d’ qubes-src/installer-qubes-os/conf/qubes-kickstart.cfg
sed -i ‘/@debian/d’ qubes-src/installer-qubes-os/conf/qubes-kickstart.cfg
sed -i ‘/@fedora/d’ qubes-src/installer-qubes-os/conf/qubes-kickstart.cfg

-Build debian 4Kn template

cd qubes-src/linux-template-builder
curl https://github.com/51lieal/qubes-linux-template-builder/commit/e656f59a18e15e58ec68a2e94fd47bc5da8efca2.patch | git apply v
cd ~/qubes-builder
make template

-Build Qubes

make remount
make iso

-Mount drive to /mnt and copy template & iso

sudo cp /iso/*.iso /mnt

sudo cp qubes-src/installer-qubes-os/rpm/noarch/*.rpm /mnt

That’s it how you build light qubes-os-installer and 4Kn debian template.

Please no question about the next step in here, so we can make a Q&A in the right post, qubes-builder related is okay. Lets wait in the couple days for the next step.

9 Likes

Awesome work! Do you have a more self-explanatory title suggestion for this project?

Maybe something relating to the use-case where one would need this? Or just a combination these:

1 Like

I had no idea feel free to change and is there a way I can edit #1 ?
I’ve did a rewrite about this with better format, add video and change the content.

1 Like

Weird, I thought you’d be able to edit your own posts. I’ve changed the title now. Maybe it’s too big. But I had no other way to include that all.

I can edit the title but not with the post, I’ll contact you if i need help to edit #1.


Some ago, i decide to post a build qubes with i3 and it lead me to learning more about how you build with other environment?

Instead of removing xfce from iso, what i did this time is add more desktop environment which we can choose at installation.

I have do a quick try and this is the result.



Just a first look and from my preference, I would choose gnome rather than kde, not only it more stable everything is just good.

Qubes with i3 is what I use as the host, you may want to see this thread.

2 Likes

another pict about gnome build :



1 Like

Thank you.
It worked, but when I uninstalled xfce I automatically installed openbox and lightdm, is there any way to remove this?
I would appreciate it if you could post your comps and qubes-kickstart where the packages for i3 and gnome are prescribed :slight_smile:

1 Like

You may want to build your own iso, rather than use official then remove package, you may break things.

you may want to add :

<packagereq type="mandatory">i3lock</packagereq>            
<packagereq type="mandatory">i3status</packagereq>

in the i3 group, and use awesome if you don’t like openbox

<packagereq type="mandatory">awesome</packagereq>

The kickstart is a full build, contains 4 DE and 3 default templates.
Gnome is currently in development, I have some list to add and to remove some package, but it stable enough for daily use.

This is for anyone who want to try building A full build of qubes os, this will include xfce, kde, i3 and gnome desktop environment which you can choose at installation. The gnome DE is actually a minimal gnome functionality, and there’s known bug (cosmetics). The packages is downloaded from fedora, I’ve only add dash to dock package.

# vim: ft=make

VERBOSE ?= 2

BACKEND_VMM ?= xen

GIT_BASEURL ?= https://github.com
GIT_PREFIX ?= QubesOS/qubes-

RELEASE ?= 4.1

DIST_DOM0 ?= fc32
DISTS_VM ?= 

COMPONENTS = \
    installer-qubes-os \
    linux-yum \
    builder-rpm \
    linux-template-builder 

BUILDER_PLUGINS ?= builder-rpm 

USE_QUBES_REPO_VERSION = 4.1
USE_QUBES_REPO_TESTING = 1
ISO_USE_KERNEL_LATEST = 1
ISO_VERSION = 5111341

INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/travis-iso-full.ks
EOF
  • Get sources and install deps
    • make get-sources

    • make install-deps

We use pre-built qubes packages, how long the build is depends on your internet connection, we would change qubes kickstart and qubes dom0 comp with my own.

After finish, you could find your iso in ~/qubes-builder/iso

Here’s the video of this guide:
Builder
Installation

Btw, you couldn’t use gnome built-in screencast since I’ve only provided the minimal gnome functionality, but it’s already good enough if you want to customize it. It need take some time for me to research about what package need to remove in dom0.

I just skimmed thru this and will give it a thorough read, but I would like to ask, is there a step in which the user specifies that he only wants the i3wm and not the XFCE-tools getting built-in?

It’s entirely different, when you install i3, there’s no xfce or other DE installed.

Is there a step in which the user expresses his wish to have only i3wm (or other desktop environments)?

Hey I finally watched both webm files. It is nice to see that i3 installation only has i3 and no traces of XFCE desktop manager applications and widgets. Looks light and lean.

One thing that bothers me is that during installation the screen reads “PRE-RELEASE/TESTING.” What are the “security drawbacks” for compiling ones own qube ISO? Was that warning message there because you weren’t building with the “stable kernel” ?

Also, in the qubes builder webm file, at timestamp 5 minute 51 seconds, can I delete the lines that reads the entries

@xfce-desktop-qubes
@xfce-extra-plugins
@xfce-media
@gnome
@kde-desktop-qubes

so that I will only have i3 installation ISO when compiled and done?

Also, the original kickstart cfg file doesn’t have @i3 as well as the @gnome and @kde-desktop-qubes lines. So, in your config file, where do you define where the script pulls the @i3 files? Can I trust that?

because it use testing repo if you want stable then remove these line from builder.conf

USE_QUBES_REPO_TESTING = 1
ISO_USE_KERNEL_LATEST = 1

Then you have stable up to date qubes iso.

if you plan to use i3 only, you can delete those, but as you can see in the video, I made a 4 DE in the installer, if you try to install other DE it would fail, it’s best you knowledge other if you want to share the iso.

If you say why, because other DE is not mature, and perhaps could lead another problem qubes-devel.

It’s from here

And if you look inside there’s a group package of i3

    <group>
    <id>i3</id>
    <name>i3wm</name>
    <description>i3 Windows manager</description>
    <default>false</default>
    <uservisible>false</uservisible>
    <packagelist>
      <packagereq>i3</packagereq>
      <packagereq>i3-settings-qubes</packagereq>
      <packagereq>i3lock</packagereq>
      <packagereq>xbacklight</packagereq>
    </packagelist>
  </group>

So when we define @i3 from qubes-kickstart.cfg, it would download these file.
and it’s same for other DE too.

It’s downloaded from fedora-32 source, qubes dom0 currently rely on fedora 32, perhaps you already know how to answer your question.

1 Like

Alright, thanks for the answers. I will try to build an i3-only ISO and see how it goes.

you may want to add feh to set wallpaper, dmenu, or other package you need.
so your i3 group is like :

 <group>
    <id>i3</id>
    <name>i3wm</name>
    <description>i3 Windows manager</description>
    <default>false</default>
    <uservisible>false</uservisible>
    <packagelist>
      <packagereq>i3</packagereq>
      <packagereq>i3-settings-qubes</packagereq>
      <packagereq>i3lock</packagereq>
      <packagereq>xbacklight</packagereq>
      <packagereq>dmenu</packagereq>
      <packagereq>feh</packagereq>
    </packagelist>
  </group>

@51lieal hey I did compile using your guide and got myself a pure i3wm QubesOS setup, without any of the XFCE tools/widgets/apps. That was cool to see.

Here are a few hickups that I have though:

I did remove those lines, however, during the QubesOS installation window, I still see PRE-RELEASE/TESTING in red colors:




See the upper right hand side of the pic for the notification in red fonts, “PRE-RELEASE/TESTING”.
Also, the Qubes OS 5111341 is a weird version number.

However, after the initial installation is done, and the installer reboots into setting up the debian, fedora, and whonix templates, I am seeing correct QubesOS version numbering and I cease to see the “PRE-RELEASE/TESTING” notification of the earlier:

Another curiousity is that creating the ISO following your footsteps results in an ISO file that offers XFCE, GNOME and KDE desktop environments, in addition to the i3 window manager setup:

How can I get an ISO with ONLY “Qubes OS with i3” software selection option?
I had deleted the lines that read

@xfce-desktop-qubes
@xfce-extra-plugins
@xfce-media
@gnome
@kde-desktop-qubes

from my builder.conf file, as I have suggested doing so in my previous message. However this didn’t erase the Software Selection options of “Qubes OS with Xfce/KDE/Gnome” as can be seen in the above picture.
Do I have to also remove the relevant Xfce/KDE/Gnome group entries and then compile the ISO?

I forget to mention aside from removing those 2 line you need to change this,

INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/travis-iso-full.ks
to
INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/iso-full-online.ks

for the weird version number, take a look at builder.conf, we set the version number with

ISO_VERSION = 5111341

you could remove those line, and the build version number will be the date when the iso was build.

to remove other DE in the software sellection, remove these line in comps-dom0.xml


# gnome
   <environment>
   <id>qubes-gnome</id>
   <display_order>6</display_order>
   <name>Qubes OS with Gnome</name>
   <description>Currently still in development.</description>
    <grouplist>
     <groupid>base</groupid>
     <groupid>base-x</groupid>
     <groupid>hardware-support</groupid>
     <groupid>fonts</groupid>
     <groupid>sound-basic</groupid>
     <groupid>qubes</groupid>
     <groupid>gnome</groupid>
    </grouplist>
    <optionlist>
     <groupid default='true'>qubes-ui</groupid>
     <groupid default='false'>fedora</groupid>
     <groupid default='false'>debian</groupid>
     <groupid default='false'>whonix</groupid>
    </optionlist>
  </environment>

# kde
     <environment>
   <id>qubes-kde</id>
   <display_order>4</display_order>
   <name>Qubes OS with KDE</name>
   <description>Standard installation with KDE enviroment in Dom0.</description>
    <grouplist>
     <groupid>base</groupid>
     <groupid>base-x</groupid>
     <groupid>hardware-support</groupid>
     <groupid>fonts</groupid>
     <groupid>sound-basic</groupid>
     <groupid>qubes</groupid>
     <groupid>kde-desktop-qubes</groupid>
    </grouplist>
    <optionlist>
     <groupid default='true'>qubes-ui</groupid>
     <groupid default='false'>fedora</groupid>
     <groupid default='false'>debian</groupid>
     <groupid default='false'>whonix</groupid>
    </optionlist>
  </environment>
  <langpacks>
    <match name="kdelibs" install="kde-l10n-%s"/>
  </langpacks>
 
# xfce
 <environment>
   <id>qubes-xfce</id>
   <display_order>3</display_order>
   <name>Qubes OS with Xfce</name>
   <description>Standard installation with Xfce enviroment in Dom0.</description>
    <grouplist>
     <groupid>base</groupid>
     <groupid>base-x</groupid>
     <groupid>hardware-support</groupid>
     <groupid>fonts</groupid>
     <groupid>sound-basic</groupid>
     <groupid>qubes</groupid>
     <groupid>xfce-desktop-qubes</groupid>
     <groupid>xfce-extra-plugins</groupid>
     <groupid>xfce-media</groupid>
    </grouplist>
    <optionlist>
     <groupid default='true'>qubes-ui</groupid>
     <groupid default='false'>fedora</groupid>
     <groupid default='false'>debian</groupid>
     <groupid default='false'>whonix</groupid>
    </optionlist>
  </environment>
1 Like

OK. But now it got my attention that in my builder StandaloneVM (fedora-36) the home folder doesn’t have the qubes-src folder. That folder is under the qubes-builder folder. So, there is the .ks file under the following location:
/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks

Is this normal? Or was I to run the make get-sources on the home directory or something?

More specifically, do I run these commands under the ~/qubes-builder folder?

yeah, I’m missing qubes-builder there, the full path include qubes-builder.

absolutely.

1 Like