Automated Qubes OS Installation using Kickstart and/or PXE Network Boot

Community Guides
19

Hahaha. No no no no no. My explanations are becoming more and more abiguous. My bad :stuck_out_tongue_closed_eyes:

I meant the initial loading of the xen.gz, vmlinuz and initrd.img files. The PXE server seems to not be able to serve those files in parallel to multiple machines simultaneously.

Once you serve the ISO over another protocol (I used NFS), there’s no bottleneck whatsoever :slight_smile:

At least, that’s what I encountered in my testing of getting 6 legacy boot laptops and 6 UEFI boot laptops to PXE boot the Qubes ISO simultaneously…

Maybe there’s a config I haven’t set up that allows this…maybe…:thinking:

I would respectfully argue that these attacks are just moved to a different place… :face_with_raised_eyebrow:

Again, you’d still have the same drive requirements, but they would be in a different place. Instead of being locally connected to the target machine, they’d be inside another machine.

This means you’d have to accommodate for TWO attack vectors:

  • Firmware attacks on TWO devices:
    • The drive that is hosting your Qubes OS boot image, as well as the actual machine that this drive is connected to
    • Your network stack on both your client and server, as well as any intermediary network infrastructure

Many would argue that this is more cumbersome than connecting a physical drive to a SATA/NVME/PCI slot on a motherboard, but it appears tht this approach better suits your use case.

Just be sure to factor all of this in when you use it :slight_smile:

Ok, I’ll give you that one :stuck_out_tongue:

Another good point :stuck_out_tongue:

Can be a blessing and a curse simultaneously, but I’ll give you that one too :wink:

Assuming the “known good state” Qubes OS install that you’re booting from stays in “mint condition”, but yes, I’ll give you that one too :sunglasses:

Was about to say this, but you beat me to it :laughing:

There is potential for VLANs to alleviate some of these issues, allowing you to use a single NIC, but I’d need to investigate a lot deeper into this than I already have…

I don’t want to give you any wrong information :laughing:

That would definitely be possible, but if you were to do that to a current Qubes OS install without any modifications, do you realise how much RAM you’d actually need…? :astonished:

The dom0 partition in the current standard Qubes OS install is at least 24GB.
That means:

  • You’d lose at least 24GB of the client’s RAM to a dom0 ramdisk
    • This would only really be viable on server motherboards with a billion and one RAM slots (mad respect if you have such a motherboard, I’m super jealous!)
    • Your options for doing this are basically including a complete dom0 in the initrd.img, essentially making the initramfs 25GB, which would likely take 30-90+ minutes to serve via PXE
  • Copying dom0 into RAM via NFS would be quicker, but would require a fair amount of “hacky shenanigans” to accomplish
    • Most of the work has been done with what you’ve already tinkered with regarding running Qubes OS entirely in RAM

Excellent.

Ok, so then that’s a potential methodology for PXE.

You’re starting to get the hang of PXE. Nice :slight_smile:

So then I guess you’ve decided that each machine gets their own Qubes OS install on the server :slight_smile:

Off the top of my head, I would say:

  1. PXE serve xen.gz, vmlinuz, and initrd.img
  • Have the initrd.img contain a complete read-only dom0

OR

  • Have a dom0 served via NFS as an image file once the initrd.img was served via PXE, allowing faster boot times of client machines, particularly if multiple clients are booting simultaneously
  1. Have Templates served via NFS
  • Allows on-demand loading/unloading of templates and AppVMs
  • Templates can be loaded by multiple clients simultaneously, provided they are read-only, avoiding clients “fighting over control of the templates”
  1. Serve AppVMs (or at least configuration files for AppVMs) via NFS
  • Allows each client to have their own persistent configuration
  1. Serve some AppVMs via VNC
  • Allows some AppVMs to run on the server
  • Can be useful when running Qubes OS on a very underpowered client, and you need those extra system resources
  1. Serve a user database via LDAP or PAM
  • Would allow all clients to boot from the same Qubes install, log in with their unique username and password, and have all their configs and custom AppVMs load on any client machine
  • Optional (and is likely not as straightforward as I am describing it, so don’t get your hopes up just yet :stuck_out_tongue:)

But in any case, you are definitely onto something, and I propose forking this thread to better facilitate this endeavour :slight_smile: