I do a lot of software development (contributing to Fedora, hopefully contributing to Ubuntu in the future, working with upstream KDE, and doing some stuff of my own) and have found that I’m doing a lot of work in VMs. Most of my intensive workloads are virtualized. Xen is probably faster than KVM in some instances, so I’m thinking of trying Qubes OS so that I get better performance and better security.
However, my workflows are relatively complex, so I’m hoping that more experienced users will be able to tell me if Qubes is likely to work for my use case.
Much of my work requires running full operating systems (Windows, KDE neon, Fedora, Lubuntu) within typical VMs (not paravirtualized). As I understand it, Xen’s HVM support is good, but I won’t be able to easily transfer files or copy-paste from VM to VM since the Qubes tools may not work inside HVMs. For this reason, I have the idea of running a FileZilla server in one Qube and then connecting my HVMs to it so I can share files between VMs via FTP. How easy (or not easy) is it to do something like this? (Note that I do NOT want the file sharing traffic to run through sys-net or sys-firewall, I’d want it to be direct qube-to-qube communication between relatively trusted qubes.)
I intend on running AI software in one of the Qubes, for which I will need to use GPU passthrough. I’m fairly skilled with managing advanced Linux-related tasks and think I should be able to do this, but I wonder how many people have had issues with this (aside from the issue described here: Quick howto: GPU passthrough with lots of RAM)
I have a large external HDD formatted with ZFS on which I intend on storing most of my HVM Qubes. This drive is HUGE (12 TB) and has a lot of data on it that I can’t move onto a second drive, so reformatting it isn’t an option. (I have all of the important data backed up onto a two-drive ZFS mirror… but the desktop those drives were in died so now I can’t use them ) Also the drive is external and USB-attached, and sometimes it will not be plugged in. Will I be able to use this drive as-is to store some (but not all) of my Qubes?
Another Qube needs to be accessible from other systems on my LAN so that I can SSH into it and run one particular Windows application remotely with Wine (long story, weird setup). I found documentation describing how to do port forwarding at Firewall | Qubes OS. Are there particular “gotchas” I should be aware of here?
Some of my work requires nested VMs, however I think I can get by using full emulation so that I don’t open up security holes and bugs by enabling true nested virtualization. I also have a secondary machine I can use in the event full emulation is too painfully slow in the places where I need nested virt.
I think I should be able to use Qubes OS, but I don’t want to invest a ton of time into trying to set it up and discover that there’s some aspect of the system that makes it impossible or impractical for my use case. Should I try it, or is my setup something where traditional Linux distros with KVM are probably going to work better?
For this reason, I have the idea of running a FileZilla server in one
Qube and then connecting my HVMs to it so I can share files between
VMs via FTP. How easy (or not easy) is it to do something like this?
I wonder how many people have had issues with this
Depends on what hardware you will use. AMD > NVIDIA from what I’ve heard.
Will I be able to use this drive as-is to store some (but not all) of
my Qubes?
I’m not sure. These instructions don’t tell me if the drive is erased in the process. If you have experience with LVM, then you might be able to find the answer from the links in the document.
Are there particular “gotchas” I should be aware of here?
I haven’t had a reason to do this, so I can’t answer that question.
Some of my work requires nested VMs, however I think I can get by
using full emulation so that I don’t open up security holes and bugs
by enabling true nested virtualization.
Nested virtualization is disabled on Qubes by default. If you “enable
it” anyway, it ~100% won’t work. Even it somehow does, you are trashing your system’s security. Just. Don’t.
Edit: Full emulation for a VM sounds miserable for performance.
May be possible, but is it workable? I don’t know.
Should I try it,
If you have a spare machine plus free time, and aren’t scared
of googling and learning new things; then yes.
my setup something where traditional Linux distros with KVM are probably going to work better?
I did not - haven’t gotten the new hardware I intended to use for it yet. I also ended up changing my mind - the speed issues I saw Qubes was having wouldn’t work well for my use case. I have an old desktop I could probably use to experiment with, but I’ve been too busy to experiment with it, so I haven’t yet.
This can’t be answered for obvious reasons, so you risk to keep wondering.
It will work more secure for sure. Imagine drivers 50 years ago forced to have seat belts tied. Annoying, right? Will it work better? Only you may answer this.
If you’re not ready to change yourself and your using computer habits and routines, you’ll constantly find the reasons not to use Qubes.
Advice: each question to it’s own topic, while being as specific as possible in request. You’ll more likely get a valid answers and suggestions.
If I’m asked, you shouldn’t be able, but should use Qubes. Anyone actually. Anyone serious about security realize that sooner or later.
I was using a lot of VMs under WIndows for many years and never heard of Qubes. The day I realized I desperately need to detach my Windows host from internet, while Virtualbox being able to be online, Qubes came up in a search engine.
That is just great. Treat yourself and invest in and contribute to yourself. Use Qubes. In 6 months you’ll hopefully contribute to Qubes realizing how great the switch was.
) Also the drive is external and USB-attached, and sometimes it will not be plugged in. Will I be able to use this drive as-is to store some (but not all) of my Qubes?