Confused with correct way to install software

AC5583 · October 11, 2021, 5:23am

Hello, I’m following the docs and it says software installation has to be through templates. But then it says network connections are disabled for templates and that I need to use Updates Proxy. But I don’t know how to start up Updates Proxy. I couldn’t figure out what to type into the terminal from the docs. I went from Template:fedora-32 > fedora-32: Software and of course, no network access so I couldn’t install any of those items available in the software screen. What do I do? Should I just change the “Networking” field in settings to sys-firewall? I don’t want to do the wrong thing…

ppc · October 11, 2021, 8:44am

what software screen

if you don’t care about security, yes

it use tinyproxy

can you check this file in dom0

/etc/qubes-rpc/policy/qubes.UpdatesProxy

unman · October 11, 2021, 12:37pm

Hi
The updates proxy service is configured by default in the templates, so
you should not need to do anything.
The Fedora Software app does not honour this proxy, so you cant use it
to install software. (I recall this is long standing fedora bug.) You
can, of course, use dnf at the command line in the template.

It’s not advisable to enable networking in the template.

AC5583 · October 11, 2021, 1:24pm

Sorry, I’m new to all this Linux stuff. So I chose instead to download the software in one of the Qubes that was setup by default. Is it ok to use “Copy to Other AppVM” and select the Fedora-32 template? And then from that template, install the software? Is this the correct way to do it?

ppc · October 11, 2021, 1:41pm

you can, just make sure that file is safe

tech3599 · October 11, 2021, 2:57pm

So I chose instead to download the software in one of the Qubes that was setup by default. Is it ok to use “Copy to Other AppVM” and select the Fedora-32 template? And then from that template, install the software? Is this the correct way to do it?

It is recommended to install software directly from the TemplateVM’s package manager, if it’s available. You can use dnf search <package> for Fedora or apt search <package> for Debian to look for the software you’re trying to install. I would not recommend copying any files into a TemplateVM for security.
Also, see:
How to install software | Qubes OS

AC5583 · October 11, 2021, 3:25pm

Hi, what if the software isn’t available in the package manager? For example, I had to download NordVPN from their website as it wasn’t listed in the package manager. What would be the right way to go about it if copying from a Qube is unsecure?

I have read the help file multiple times. Unfortunately, it is not very user-friendly to an absolute beginner coming straight from Windows. Hence, my posts.

tech3599 · October 11, 2021, 4:02pm

No problem. You wouldn’t want to install a VPN onto a TemplateVM anyway.
There is documentation on how to set up VPNs:

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

I will try to summarize it from what I understand, but I haven’t tried setting up a VPN myself. There are basically three options, setting up the VPN globally (all connections will go through the VPN), setting up the VPN for a specific AppVM, and setting up a ProxyVM that will provide the VPN connection to specific AppVMs.
If you want to set up the VPN globally, you can follow the installation instructions from NordVPN by running the sh command provided there inside of the sys-net VM’s terminal, then following the instructions to set it up from there.
If you just want to provide the VPN connection for a single AppVM, you can do the same thing, but inside of the AppVM’s terminal.
The third option of creating a ProxyVM requires creating a new VM with Create Qubes VM, choosing the preferred Template (fedora-32 or fedora-33 should work fine), setting Networking to sys-firewall, then checking the box for ‘provides network’. Then follow the same steps for the other two options in the new VM’s terminal.
https://support.nordvpn.com/Connectivity/Linux/1325529112/Installing-and-using-NordVPN-on-Fedora-and-QubesOS-Linux.htm
If you need any further help, you can let us know. There are probably some things I didn’t cover, but they can be found in the documentation.
Also, note that copying files between qubes is not inherently insecure, but I would generally not recommend copying anything to the TemplateVMs specifically as they are usually more trusted.

AC5583 · October 11, 2021, 7:46pm

Ok, thanks! I managed to install some stuff using the dnf search <package> command you gave me. No Qube file transfers for that part! So I guess I’m on a slow, but right path.

The NordVPN link was the first thing I tried. But at the time, I don’t think I understood some of what was going on so that’s probably why it failed. I will give that a shot again and I’ll read the first link as well as from a glance, that seems to look like the better way to do it.

trounces · February 10, 2022, 7:32am

I’m having the same doubt.

My applications such as Standard Notes and Veracrypt and Signal Messenger are not available using dnf search so I opened a disposable Qube and downloaded the installation files straight from the source website. Checked the checksum manually etc.

Now I don’t know how to continue.

I tried to copy the by me trusted file into the template but it does not seem to appear anywhere. It seems I cannot copy the file to the Fedora Template or it does not work the same way as when I copy a file from one Qube to another.

Any best practices on the topic of installing packages from third parties?

I saw some posts on using third party repositories but I do not trust those, I rather download the file directly from the source and verify the checksum after.

oijawyuh · February 10, 2022, 8:29am

I would like to start by reiterating: It’s not advisable to enable networking in the template.

Regarding installing Signal messenger in a Debian template, see: https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md

It’s easy and straighforward (copy/pasting the commands from the that webpage to the terminal in the template).

Regarding installing software that does not exist in any repository, for example, Zoom, MS Teams (or Standard Notes and Veracrypt as mentioned), here’s how I do it:

First, check if software can be installed and if it persists in the Qube / AppVM (work, vault, etc.) instead of the Template. Some applications do persist.
Second, if it does not persist in the Qube / AppVM, download the installation file in a Qube, then copy to the template. Make sure that the installer corresponds to the Template. Debians take .deb files. Fedora i think .rpm files. Then run “sudo dnf install [the downloaded package]” or “sudo apt install [the downloaded package]”. The downloaded packaged would be in a folder in QubesIncoming. You can drag and drop it to the terminal after you type the sudo apt install / sudo dnf install. (I saw in some cases the use of sudo dpkg -i [package] but I don’t know the difference with install command. Maybe Linux experts can explain this?).

I hope this helps.

adw · February 11, 2022, 3:26am

Are you sure about that? Where did you look for them? Those files should show up in /home/user/QubesIncoming/, which is the same as when copying files to any qube.

Once you have the program installer in your template (and you’re sure you trust it), you can often install it there just like you would in the baremetal upstream OS.