I marked the sys-firewall of my new Qubes installation to be disposable. It is not.
After the end of the installation I got an end concerning sys-firewall and resetting a PCI device.
That was fixed from the button force reset in the settings, I think.
Trying to make it disposable from the settings, gives me an error that it can’t.
Delete the sys-firewall qube:
qvm-remove -f sys-firewall
Recreate sys-firewall:
sudo qubesctl state.sls qvm.sys-firewall
If you have created a separate TemplateVM for your sys-firewall qube that is different from the default TemplateVM, change the template of the new sys-firewall to your desired TemplateVM. Otherwise, skip this step:
qvm-prefs sys-firewall template <deb11-min-firewall>
Disable autostart and networking:
qvm-prefs sys-firewall autostart false && qvm-prefs sys-firewall netvm ''
Clone the sys-firewall qube and set the clone to be a template for disposable vms:
qvm-clone sys-firewall sys-fw-template && qvm-prefs sys-fw-template template_for_dispvms true && qvm-prefs sys-fw-template default_dispvm sys-fw-template && qvm-prefs sys-fw-template virt_mode pvh && qvm-features sys-fw-template appmenus-dispvm ''
Delete the sys-firewall qube:
qvm-remove -f sys-firewall
Now create the disposable sys-firewall qube, and if you want your disposable sys-firewall to autostart when QubesOS boots up, then change autostart=false to instead be autostart=true in the command:
qvm-create --class DispVM --template sys-fw-template --prop autostart=false --prop netvm="sys-net" --prop provides_network=true --label green sys-firewall && qvm-features sys-firewall appmenus-dispvm ''
Set your new disposable sys-firewall to be the updatevm for dom0 updates and the default netvm for all qubes:
qubes-prefs updatevm sys-firewall && qubes-prefs default_netvm sys-firewall
That should give you a disposable sys-firewall that works. You can also combine the commands listed above into one command using && in between each command.
sudo qubesctl state.sls qvm.sys-firewall is enough to get
you a disposable that works - it’s a named disposable, but
disposable none the less.
How does that work? I thought that a named disposable must have an AppVM as its template.
It has? The one set as the default in Global settings? Or i didn’t understand your question…