Advanced Qubes Installation (light installer / 4Kn Debian Template / Detached header / Encrypted Boot / Dom0 & DispVM in tmpfs)

Weird, I thought you’d be able to edit your own posts. I’ve changed the title now. Maybe it’s too big. But I had no other way to include that all.

I can edit the title but not with the post, I’ll contact you if i need help to edit #1.


Some ago, i decide to post a build qubes with i3 and it lead me to learning more about how you build with other environment?

Instead of removing xfce from iso, what i did this time is add more desktop environment which we can choose at installation.

I have do a quick try and this is the result.



Just a first look and from my preference, I would choose gnome rather than kde, not only it more stable everything is just good.

Qubes with i3 is what I use as the host, you may want to see this thread.

1 Like

another pict about gnome build :



1 Like

Thank you.
It worked, but when I uninstalled xfce I automatically installed openbox and lightdm, is there any way to remove this?
I would appreciate it if you could post your comps and qubes-kickstart where the packages for i3 and gnome are prescribed :slight_smile:

1 Like

You may want to build your own iso, rather than use official then remove package, you may break things.

you may want to add :

<packagereq type="mandatory">i3lock</packagereq>            
<packagereq type="mandatory">i3status</packagereq>

in the i3 group, and use awesome if you don’t like openbox

<packagereq type="mandatory">awesome</packagereq>

The kickstart is a full build, contains 4 DE and 3 default templates.
Gnome is currently in development, I have some list to add and to remove some package, but it stable enough for daily use.

This is for anyone who want to try building A full build of qubes os, this will include xfce, kde, i3 and gnome desktop environment which you can choose at installation. The gnome DE is actually a minimal gnome functionality, and there’s known bug (cosmetics). The packages is downloaded from fedora, I’ve only add dash to dock package.

# vim: ft=make

VERBOSE ?= 2

BACKEND_VMM ?= xen

GIT_BASEURL ?= https://github.com
GIT_PREFIX ?= QubesOS/qubes-

RELEASE ?= 4.1

DIST_DOM0 ?= fc32
DISTS_VM ?= 

COMPONENTS = \
    installer-qubes-os \
    linux-yum \
    builder-rpm \
    linux-template-builder 

BUILDER_PLUGINS ?= builder-rpm 

USE_QUBES_REPO_VERSION = 4.1
USE_QUBES_REPO_TESTING = 1
ISO_USE_KERNEL_LATEST = 1
ISO_VERSION = 5111341

INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/travis-iso-full.ks
EOF
  • Get sources and install deps
    • make get-sources

    • make install-deps

We use pre-built qubes packages, how long the build is depends on your internet connection, we would change qubes kickstart and qubes dom0 comp with my own.

After finish, you could find your iso in ~/qubes-builder/iso

Here’s the video of this guide:
Builder
Installation

Btw, you couldn’t use gnome built-in screencast since I’ve only provided the minimal gnome functionality, but it’s already good enough if you want to customize it. It need take some time for me to research about what package need to remove in dom0.

I just skimmed thru this and will give it a thorough read, but I would like to ask, is there a step in which the user specifies that he only wants the i3wm and not the XFCE-tools getting built-in?

It’s entirely different, when you install i3, there’s no xfce or other DE installed.

Is there a step in which the user expresses his wish to have only i3wm (or other desktop environments)?

Hey I finally watched both webm files. It is nice to see that i3 installation only has i3 and no traces of XFCE desktop manager applications and widgets. Looks light and lean.

One thing that bothers me is that during installation the screen reads “PRE-RELEASE/TESTING.” What are the “security drawbacks” for compiling ones own qube ISO? Was that warning message there because you weren’t building with the “stable kernel” ?

Also, in the qubes builder webm file, at timestamp 5 minute 51 seconds, can I delete the lines that reads the entries

@xfce-desktop-qubes
@xfce-extra-plugins
@xfce-media
@gnome
@kde-desktop-qubes

so that I will only have i3 installation ISO when compiled and done?

Also, the original kickstart cfg file doesn’t have @i3 as well as the @gnome and @kde-desktop-qubes lines. So, in your config file, where do you define where the script pulls the @i3 files? Can I trust that?

because it use testing repo if you want stable then remove these line from builder.conf

USE_QUBES_REPO_TESTING = 1
ISO_USE_KERNEL_LATEST = 1

Then you have stable up to date qubes iso.

if you plan to use i3 only, you can delete those, but as you can see in the video, I made a 4 DE in the installer, if you try to install other DE it would fail, it’s best you knowledge other if you want to share the iso.

If you say why, because other DE is not mature, and perhaps could lead another problem qubes-devel.

It’s from here

And if you look inside there’s a group package of i3

    <group>
    <id>i3</id>
    <name>i3wm</name>
    <description>i3 Windows manager</description>
    <default>false</default>
    <uservisible>false</uservisible>
    <packagelist>
      <packagereq>i3</packagereq>
      <packagereq>i3-settings-qubes</packagereq>
      <packagereq>i3lock</packagereq>
      <packagereq>xbacklight</packagereq>
    </packagelist>
  </group>

So when we define @i3 from qubes-kickstart.cfg, it would download these file.
and it’s same for other DE too.

It’s downloaded from fedora-32 source, qubes dom0 currently rely on fedora 32, perhaps you already know how to answer your question.

1 Like

Alright, thanks for the answers. I will try to build an i3-only ISO and see how it goes.

you may want to add feh to set wallpaper, dmenu, or other package you need.
so your i3 group is like :

 <group>
    <id>i3</id>
    <name>i3wm</name>
    <description>i3 Windows manager</description>
    <default>false</default>
    <uservisible>false</uservisible>
    <packagelist>
      <packagereq>i3</packagereq>
      <packagereq>i3-settings-qubes</packagereq>
      <packagereq>i3lock</packagereq>
      <packagereq>xbacklight</packagereq>
      <packagereq>dmenu</packagereq>
      <packagereq>feh</packagereq>
    </packagelist>
  </group>

@51lieal hey I did compile using your guide and got myself a pure i3wm QubesOS setup, without any of the XFCE tools/widgets/apps. That was cool to see.

Here are a few hickups that I have though:

I did remove those lines, however, during the QubesOS installation window, I still see PRE-RELEASE/TESTING in red colors:




See the upper right hand side of the pic for the notification in red fonts, “PRE-RELEASE/TESTING”.
Also, the Qubes OS 5111341 is a weird version number.

However, after the initial installation is done, and the installer reboots into setting up the debian, fedora, and whonix templates, I am seeing correct QubesOS version numbering and I cease to see the “PRE-RELEASE/TESTING” notification of the earlier:

Another curiousity is that creating the ISO following your footsteps results in an ISO file that offers XFCE, GNOME and KDE desktop environments, in addition to the i3 window manager setup:

How can I get an ISO with ONLY “Qubes OS with i3” software selection option?
I had deleted the lines that read

@xfce-desktop-qubes
@xfce-extra-plugins
@xfce-media
@gnome
@kde-desktop-qubes

from my builder.conf file, as I have suggested doing so in my previous message. However this didn’t erase the Software Selection options of “Qubes OS with Xfce/KDE/Gnome” as can be seen in the above picture.
Do I have to also remove the relevant Xfce/KDE/Gnome group entries and then compile the ISO?

I forget to mention aside from removing those 2 line you need to change this,

INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/travis-iso-full.ks
to
INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/iso-full-online.ks

for the weird version number, take a look at builder.conf, we set the version number with

ISO_VERSION = 5111341

you could remove those line, and the build version number will be the date when the iso was build.

to remove other DE in the software sellection, remove these line in comps-dom0.xml


# gnome
   <environment>
   <id>qubes-gnome</id>
   <display_order>6</display_order>
   <name>Qubes OS with Gnome</name>
   <description>Currently still in development.</description>
    <grouplist>
     <groupid>base</groupid>
     <groupid>base-x</groupid>
     <groupid>hardware-support</groupid>
     <groupid>fonts</groupid>
     <groupid>sound-basic</groupid>
     <groupid>qubes</groupid>
     <groupid>gnome</groupid>
    </grouplist>
    <optionlist>
     <groupid default='true'>qubes-ui</groupid>
     <groupid default='false'>fedora</groupid>
     <groupid default='false'>debian</groupid>
     <groupid default='false'>whonix</groupid>
    </optionlist>
  </environment>

# kde
     <environment>
   <id>qubes-kde</id>
   <display_order>4</display_order>
   <name>Qubes OS with KDE</name>
   <description>Standard installation with KDE enviroment in Dom0.</description>
    <grouplist>
     <groupid>base</groupid>
     <groupid>base-x</groupid>
     <groupid>hardware-support</groupid>
     <groupid>fonts</groupid>
     <groupid>sound-basic</groupid>
     <groupid>qubes</groupid>
     <groupid>kde-desktop-qubes</groupid>
    </grouplist>
    <optionlist>
     <groupid default='true'>qubes-ui</groupid>
     <groupid default='false'>fedora</groupid>
     <groupid default='false'>debian</groupid>
     <groupid default='false'>whonix</groupid>
    </optionlist>
  </environment>
  <langpacks>
    <match name="kdelibs" install="kde-l10n-%s"/>
  </langpacks>
 
# xfce
 <environment>
   <id>qubes-xfce</id>
   <display_order>3</display_order>
   <name>Qubes OS with Xfce</name>
   <description>Standard installation with Xfce enviroment in Dom0.</description>
    <grouplist>
     <groupid>base</groupid>
     <groupid>base-x</groupid>
     <groupid>hardware-support</groupid>
     <groupid>fonts</groupid>
     <groupid>sound-basic</groupid>
     <groupid>qubes</groupid>
     <groupid>xfce-desktop-qubes</groupid>
     <groupid>xfce-extra-plugins</groupid>
     <groupid>xfce-media</groupid>
    </grouplist>
    <optionlist>
     <groupid default='true'>qubes-ui</groupid>
     <groupid default='false'>fedora</groupid>
     <groupid default='false'>debian</groupid>
     <groupid default='false'>whonix</groupid>
    </optionlist>
  </environment>
1 Like

OK. But now it got my attention that in my builder StandaloneVM (fedora-36) the home folder doesn’t have the qubes-src folder. That folder is under the qubes-builder folder. So, there is the .ks file under the following location:
/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks

Is this normal? Or was I to run the make get-sources on the home directory or something?

More specifically, do I run these commands under the ~/qubes-builder folder?

yeah, I’m missing qubes-builder there, the full path include qubes-builder.

absolutely.

1 Like

Oh… I have been building the ISO three times now, with the “incorrect” path for the INSTALLER_KICKSTART variable in the builder.conf file then.

I didn’t get any error messages, nor the process aborted due to this. Any reason why?

In the meanwhile, I will correct the INSTALLER_KICKSTART variable to its correct path and re-compile the ISO.

1 Like

Hey, I just got error:
FileNotFoundError: [Errno 2] No such file or directory: '/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks

on the make iso operation, during
--> Building installer-qubes-os iso for fc32
step.

This is really weird, as the file at that location exists:

$ ls -la /home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks
-rw-rw-r-- 2 user user 766 Jul 25 16:27 /home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks

I am really confused.
Previously, the process didn’t complain about a “non-existant” file/directory (that is, /home/user/qubes-src/… → there is no qubes-src folder on the home folder! but it doesn’t complain about this!).
And now I point it to the correct, existing folder/file, and it gives a “File does not exist!” error!

1 Like

Here is the error message I am getting:

-> Building installer-qubes-os iso for fc32
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/pykickstart/load.py", line 93, in _load_file
    with open(filename, 'rb') as fh:
FileNotFoundError: [Errno 2] No such file or directory: '/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/pykickstart/parser.py", line 825, in readKickstart
    s = load_to_str(f)
  File "/usr/lib/python3.8/site-packages/pykickstart/load.py", line 45, in load_to_str
    return _load_file(location)
  File "/usr/lib/python3.8/site-packages/pykickstart/load.py", line 99, in _load_file
    raise KickstartError(_('Error opening file: %s') % str(e))
pykickstart.errors.KickstartError: Error opening file: [Errno 2] No such file or directory: '/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/qubes-src/installer-qubes-os/scripts/ksparser", line 96, in <module>
    sys.exit(main())
  File "/home/user/qubes-src/installer-qubes-os/scripts/ksparser", line 57, in main
    ksparser.readKickstart(args.ks)
  File "/usr/lib/python3.8/site-packages/pykickstart/parser.py", line 827, in readKickstart
    raise KickstartError(_("Unable to open input kickstart file: %s") % str(e), lineno=0)
pykickstart.errors.KickstartError: The following problem occurred on line 0 of the kickstart file:

Unable to open input kickstart file: Error opening file: [Errno 2] No such file or directory: '/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks'

make[1]: *** [Makefile:116: iso-prepare] Error 1
--> build failed!
make: *** [Makefile:575: iso] Error 1
[user@builder qubes-builder]$

For clarity, I will paste the contents of the following files: builder.conf, comps-dom0.xml and qubes-kickstart.cfg.

builder.conf:
# vim: ft=make

VERBOSE ?= 2

BACKEND_VMM ?= xen

GIT_BASEURL ?= https://github.com
GIT_PREFIX ?= QubesOS/qubes-

RELEASE ?= 4.1

DIST_DOM0 ?= fc32
DISTS_VM ?=

COMPONENTS =     installer-qubes-os     linux-yum     builder-rpm     linux-template-builder

BUILDER_PLUGINS ?= builder-rpm

USE_QUBES_REPO_VERSION = 4.1

INSTALLER_KICKSTART=/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks
comps-dom0.xml

PrivateBin Paste

qubes-kickstart.cfg
# Kickstart file for composing the "Qubes" spin of Fedora

# Package manifest for the compose.  Uses repo group metadata to translate groups.
# (@base is added by default unless you add --nobase to %packages)
# (default groups for the configured repos are added by --default)

repo --name=fedora --gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-32-primary --ignoregroups=true --metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-32&arch=x86_64
repo --name=fedora-updates --gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-32-primary --ignoregroups=true --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f32&arch=x86_64
repo --name=installer --baseurl=file:///tmp/qubes-installer/yum/installer/
repo --name=qubes-dom0 --baseurl=file:///tmp/qubes-installer/yum/qubes-dom0/
repo --name=dom0-updates --baseurl=file:///tmp/qubes-installer/yum/dom0-updates/

%packages
@core
@base
@base-x --nodefaults
@sound-basic
@fonts
@hardware-support
@qubes
@qubes-ui
@anaconda-tools
@fedora
@debian
@whonix
@i3
# weaks dependencies
-adobe-source-code-pro-fonts
-compat-f32-dejavu-sans-fonts
-compat-f32-dejavu-sans-mono-fonts
-compat-f32-dejavu-serif-fonts
-crypto-policies-scripts
-deltarpm
-dnfdaemon-selinux
-fips-mode-setup
-flac
-fwupd-plugin-flashrom
-fwupd-plugin-modem-manager
-gcc-gdb-plugin
-geolite2-city
-geolite2-country
-gnupg2-smime
-gstreamer1-plugins-good-qt
-lame
-libsss_autofs
-libsss_sudo
-libxcrypt-compat
-libyui-gtk
-libyui-mga-gtk
-libyui-mga-qt
-libyui-qt
-libyui-qt-graph
-mkpasswd
-ntfs-3g-system-compression
-oddjob-mkhomedir
-openssl-pkcs11
-openbox
-opus-tools
-perl-IO-Compress
-perl-IO-Socket-SSL
-perl-Math-BigInt
-perl-Mozilla-CA
-pigz
-pinentry
-python-systemd-doc
-python-unversioned-command
-python3-unbound
-rpm-plugin-systemd-inhibit
-sssd-nfs-idmap
-trousers
# selected dependencies
-blueberry
%end

Any ideas for the “FileNotFoundError” ? I mean, the file on the path that it complains do exists. Which makes this error really cryptic.

A bit closer look also reveals another cryptic situation: on the error message I pasted above, the upmost Traceback reads,
File "/usr/lib/python3.8/site-packages/pykickstart/load.py"
However, this file does NOT exist on the fedora-36 /usr/lib/ folder!
There is only /usr/lib/python3.10/ folder there. So, I am really baffled as to how would the script make the call to a python3.8 folder under /usr/lib.

A day after EDIT:
I figured that the solution to this error is having the

INSTALLER_KICKSTART=/home/user/qubes-builder/qubes-src/installer-qubes-os/conf/iso-full-online.ks

line in the builder.conf file WITHOUT the /qubes-builder/ part. So, @51lieal your original builder.conf file is correct with that line.
Now I, too, am using the INSTALLER_KICKSTART as you are:
INSTALLER_KICKSTART=/home/user/qubes-src/installer-qubes-os/conf/iso-full-online.ks

The reason for this is, as far as I understand the documentation is that the building process uses chroot and creates a root file system environment within the /home/user/qubes-builder/ and goes deeper from that part.

1 Like