Alpine Linux Template (non-official) available for testing

dro212 · May 15, 2024, 11:20am

This is the error code I received after trying to install.

Traceback (most recent call last):
File “/usr/bin/qvm-template-postprocess”, line 5, in
sys.exit(main())
^^^^^^
File “/usr/lib/python3.11/site-packages/qubesadmin/tools/qvm_template_postprocess.py”, line 449, in main
loop.run_until_complete(post_install(args))
File “/usr/lib64/python3.11/asyncio/base_events.py”, line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/site-packages/qubesadmin/tools/qvm_template_postprocess.py”, line 314, in post_install
import_root_img(vm, args.dir)
File “/usr/lib/python3.11/site-packages/qubesadmin/tools/qvm_template_postprocess.py”, line 102, in import_root_img
raise qubesadmin.exc.QubesException(
qubesadmin.exc.QubesException: template.rpm symlink not found for multi-part image, using up-to-date qvm-template install ... should help
ERROR: Command ‘[‘qvm-template-postprocess’, ‘–really’, ‘–no-installed-by-rpm’, ‘post-install’, ‘alpine318’, ‘/var/tmp/tmpjifu34ic/var/lib/qubes/vm-templates/alpine318’]’ returned non-zero exit status 1.

I did some research, and it seems the template installer thinks there’s missing parts of the file. I have no idea how to fix.

ayakael · July 24, 2024, 9:26pm

Hey all, I forgot I had an account here! I made the template referenced by OP. I see there’s an appreciation for my work, thanks for y’all’s interest! I’d be happy to get this fixed up for more official inclusion. I’ve yet to identify a clear way to get this template supported along the same lines as Arch Linux. At the minimum, I’ll maintain the packages and the RPM, and if any of y’all find (and fix issues) you can share them on here or on the GItHub issues page, I’ll have them integrated. I answer more quickly on the Github page, but I’ll try to keep an eye on the forums.

ludovic · July 25, 2024, 8:13pm

Thank you for your work, yesterday I switched from Alpine-3.19 to 3.20 without any problem (template update with the 3.20 repository, not the new 3.20 template rpm).

ayakael · July 27, 2024, 5:00am

Wicked, glad to hear!

Of note, I’ve fixed a bug with qubes-usb-proxy which broke attaching devices to the Alpine AppVM. Incidently, this seems to also fix using Alpine Linux as a base for sys-usb. I’m working on porting GitHub - QubesOS/qubes-app-linux-input-proxy, but I’m not sure how to port the systemd services to openrc.

(edit: a package for the input proxy is already available via qubes-input-proxy, but it wont automatically spawn the proxy process since it does that via udev and systemd. It’s available via the repo though, for those who wish to figure out an openrc implementation)

ayakael · July 27, 2024, 7:47pm

It looks like installing via RPM is broken. Can you try installing using the following command?

qvm-template install --nogpgcheck /full/path/to/rpm

ayakael · August 22, 2024, 9:00pm

Hello everyone, an important infrastructure update.

The repos now have a new home on my very own Forgejo instance. You can browse them here:

qubes-builder-alpine: https://ayakael.net/forge/qubes-builder-alpine
qports (formerly qubes-aports): https://ayakael.net/forge/qports

This will bring some much needed infrastructure upgrades:

We can now use proper Alpine Linux and RPM repositories
Alpine package signing is now handled seperately from the package building workflows
The Qubes template RPM is now available on a signed template. It is thus installable using qvm-template

These changes require manual intervention on already-existing templates to use the new Alpine Linux repo

Repo migration instructions

Update repo in /etc/apk/repositories to use this instead:

https://ayakael.net/api/packages/forge/alpine/v3.20/qubes-r4.2

Go to /etc/apk/keys and download new key:

cd /etc/apk/keys
curl -JO https://ayakael.net/api/packages/forge/alpine/key

New RPM installation:

If you wish to install an updated template, you can follow the instructions on the README in qubes-builder-alpine’s new repo.

ayakael · October 17, 2024, 12:19am

I fixed an issue causing qubes-gui-agent on edge templates to fail. It was introduced by community/eudev: remove support for split-usr (7ce7590c) · Commits · alpine / aports · GitLab, which is a change in-line with Alpine’s new policy on merging /lib and /sbin into /usr. This caused an issue where a udev rule that gave access to xen devices to the qubes group wasn’t picked up. Via #101 - [4.2] *: /usr merge - forge/qports - Ayakael: My personal forge I’ve thus followed suite and merged everything qports related into /usr. This fixed the issue, and brings the template in line with where things should land for v3.21.

For those on an edge template who lost access, you can fix your template by updating it through sudo xl console template-name and apk update; apk upgrade and restarting your template.

apparatus · October 17, 2024, 5:46pm

It’s better to use qvm-console-dispvm template-name to connect to the qube’s console in a disposable qube instead of dom0 directly.

scales · November 14, 2024, 1:31am

Default kernel of Alpine Linux is hardened by PAX and grsecurity.
There are not other distribution hardened default by PAX and grsecurity.

So Alpine Linux is safer than Hardened Gentoo, default setting of SELinux of Fedora and other many distribution.

And Alpine Linux is not using systemd, uses OpenRC.
They are very pro of Alpine template!

renehoj · November 14, 2024, 7:12am

The website says their security is based on their repository is compiled as PIE, where does it say they use grsecurity?

solene · November 14, 2024, 11:31am

grsec patches are not free, but someone from Alpine started to implement a similar mechanism, I guess it’s related to https://www.phoronix.com/news/Edera-OpenPaX-Announced

andyleitermann · November 15, 2024, 4:54am

I have a ton of qubes, so a much lighter-weight template would be extremely helpful for my workflow. Thanks for this, hoping to see it in the Template Manager soon!

ayakael · December 1, 2024, 3:23am

Upgrading to v3.21

With the first release candidate out for Alpine 3.21, I’ve built the packages against it. You can already upgrade to this release, although you must follow these steps first. Not doing so will break your template! There is an issue with upgrading qubes-libvchan-xen which requires manual intervention.

Option A

Change release of repos in /etc/apk/repositories to 3.21
apk update
apk fetch qubes-libvchan-xen
apk add --allow-untrusted qubes-libvchan-xen-*.apk
apk upgrade -a

Option B

(less recommended)

Temporarily attach your template to a network qubes (i.e sys-firewall)
Change release of repos in /etc/apk/repositories to 3.21
apk upgrade -a
Detach template from the network qubes

What is happening?

Alpine’s packager apk installs packages while downloading. This makes apk faster than other package keepers. To avoid having templates connected to the internet, apk is setup to go over a proxy.

The problem is that when upgrading qubes-libvchan-xen, which is a dependency of this proxy, apk upgrades xen first without downloading the package. Thus, when upgrading qubes-libvchan-xen, download / installation fails, which then breaks the proxy. Thus, qubes-libvchan-xen can never be downloaded, and thus your template is in a broken non-bootable state.

The above interventions either forces installation of qubes-libvchan-xen before upgrading xen, or removes the need for the proxy by having the template attached to a network qubes.

Template RPM

In any case, an RPM for v3.21 will be released once 3.21 is officially released. It’ll be available here: Packages - forge/qubes-builder-alpine - Ayakael: My personal forge

ayakael · December 16, 2024, 12:46am

I’ve produced an RPM for Alpine v3.21: qubes-template-alpine321 - Ayakael: My personal forge

ludovic · January 25, 2025, 4:36pm

Thank’s for this guide . I just upgraded from Alpine 3.20.5 to 3.21.2.
I got an issue with icu:

tpl-alpine-321:~$ sudo apk upgrade -a
Upgrading critical system libraries and apk-tools:
(1/1) Upgrading apk-tools (2.14.4-r1 -> 2.14.6-r2)
Executing busybox-1.36.1-r29.trigger
Continuing the upgrade transaction with new apk-tools:
ERROR: unable to select packages:
  icu-data-en-74.2-r0:
    conflicts: icu-data-full-74.2-r0[icu-data=74.2-r0]
    satisfies: icu-libs-74.2-r0[icu-data=74.2-r0]
  icu-data-full-74.2-r0:
    conflicts: icu-data-en-74.2-r0[icu-data=74.2-r0]
    satisfies: firefox-intl-134.0-r0[icu-data-full]
               icu-libs-74.2-r0[icu-data=74.2-r0]

I did some apk fix and apk del commands, but finally I think I fixed the issue with:

sudo apk del firefox-intl
sudo apk fix icu-data-en
sudo apk fetch icu-data-en
sudo apk add /home/user/icu-data-en-74.2-r0.apk

cubit · January 26, 2025, 7:42pm

It may be that I am too much of a novice for the task, but I am trying and could use your advice.

I successfully installed Alpine321 as a template using qvm-template.

But of course it doesn’t have ‘Copy to VM’ or other context menu items, as I need to install the aports: Files · main · Antoine Martin / qubes-aports · GitLab

however I have no idea how to compile these, is this where qubes builder comes in? Because I was able to get alpine321 template going without using anything but downloading the .rpm.

Would very much appreciate a link to how to build and install the necessary aports

thank you so much, the effort is incredible and I am so happy to have an alpine template, I hope it becomes official.

ludovic · January 26, 2025, 9:11pm

Hi @cubit ,
the CLI (Command Line Interface) qvm-copy / qvm-move tools work with the Alpine Template, so it’s an alternative to the GUI (Graphical User Interface) menu entries in the File Manager.

Resources if you don’t know the qvm-copy / qvm-move commands:

cubit · January 27, 2025, 7:08am

Thank you this is great. I still assumes the aports are not included by default? 1.Is there a guide for importing them to the Alpine template?

It also may just be user error, but I cannot get a DVM of an alpine app cube to show apps in the application finder like "Firefox (DVM’ that automatically starts the selected app in a new disposable, is this feature included? (For example ```
[user@dom0 ~]$ qvm-prefs DVM-NAME template_for_dispvms True
[user@dom0 ~]$ qvm-features DVM-NAME appmenus-dispvm 1
produce an error: ‘no such property’
I changed the AlpineTemplate repos to EDGE, is this going to pose a problem?

Thank you for your work and your quick response!

cubit · January 27, 2025, 9:49am

Maybe better to report on your repo but: opening one file explorer in an Alpine template is fine, but attempting to spawn another causes both to close. opening further file explorer windows does not work until restarting the vm.

ludovic · January 27, 2025, 5:48pm

@ayakael did the Alpine Template, I’m a user and I do some contributions.

I do not know the answers for your 1. and 3. items, but for the 2. :

Daily I use an Alpine DVM, my setting:

[user@dom0 ~]$ qvm-prefs dvm-alpine | grep -E "^klass|^template|^template_for_dispvms"
klass                 D  AppVM
template              -  tpl-alpine-321
template_for_dispvms  -  True
[user@dom0 ~]$ qvm-features dvm-alpine
menu-items       xfce4-file-manager.desktop pcmanfm.desktop firefox.desktop xfce4-terminal-emulator.desktop
appmenus-dispvm  1

I launch my Alpine DVM Firefox with a keyboard shortcut mapped to : qvm-run --dispvm dvm-alpine /usr/bin/firefox.

My Qubes main menu displays my dvm-alpine and the applications listed by qvm-features dvm-alpine menu-items . Did you add the Firefox application in Qube Manager/your DVM/Settings/Applications tab?

Please, do the checks and read the official documentations: