Debian-10-minimal Configuration

  1. Would anybody be interested in collaborating to document
    Debian-10-minimal configuration for different popular qube uses?

Sure, we should probably stage it here:
GitHub - Qubes-Community/Contents: Community documentation, code, links to third-party resources, ... See the issues and pull requests for pending content. Contributions are welcome ! and once it’s ready have a
conversation with @adw about if and where to contribute this to the main
documentation on the Qubes website.

I’ll post some of my configurations at the end of this comment as an
example to build on.

  1. How have you had to minimally modify the
    debian-10-minimal-template for each of these Qube uses?

I pretty much have a template for each AppVM qube, with a few that are
used by multiple qubes (e.g. mail, browser). This might sound like a big
deal, but isn’t as these templates are very small and I use
apt-cacher-ng in sys-firewall so every updated package is only
downloaded once and then cached for all templates that need it.

The AppVMs based on them also require surprisingly little memory. Both
my sys-net and sys-usb run at 160 MB each. The mail (thunderbird) ones
run at < 600 MB.

Do you find there are qubes where fedora-32-minimal-template is
better suited?

No. I might not use fedora right, but I find its dependencies a mess.
There is no --no-install-recommends equivalent and the most innocent
install requests result in many extremely unnecessary packages being
installed. Also it’s not unusual to have several updates per day and
frequent version updates that actually break things. I am starting to
consider fedora as not stable.

Also caching fedora updates using apt-cacher-ng is far from straight
forward, but very useful if you want to have many templates. Finally the
fedora minimal template starts out already larger than debian minimal.

Some of my basic templates…
(apologies, the forum software is giving me a hard time pasting in some bash scripts here, the formatting get’s all messed up – I’ll follow-up tomorrow)

3 Likes

Personally, I would appreciate a short demo movie on: Let’s make a minimal debian-template in Qubes OS.

I never did a minimal-template so I am very interested in your docs. My support will be limited but I will do some “noob-intermediate” tests as soon as you have your docs ready :wink:

It’s fairly straightforward terminal work, so a short demo movie isn’t necessary.

Step 1: Download the desired minimal templates

Step 2: Update and upgrade the template(s) and make universal changes (changes that you want all your templates to inherit). An example of some universal changes would be enabling sudo prompt (which counterintuitively involves installing passwordless root and then disabling it) or enabling AppArmor. You can find out how to do those specific tasks elsewhere.

Step 3: Find out which packages are needed for the template to do what you want it to do (i.e. read the documentation)

Step 4: Clone your templates and install the appropriate packages, then configure settings. There’s not much special about this part except for PCI VMs like sys-usb and sys-net, where you have to alter kernel options and service settings. This is all covered in the documentation.

Before I actually used minimal templates, I was expecting to do a lot of difficult things to get them working, but it turns out it’s simple. If you know your way around basic Linux commands and the basics that are covered in the documentation, it’s child’s play. If you don’t know basic Linux commands I wouldn’t recommend using minimal templates (the basic Linux commands involved are so easy, even I know how to use them–you could probably learn them in 30 mins).

1 Like

Thanks. I will try this as soon as I some free time.

1 Like

Ok, so I had to change the format of this summary to make it work with the forum. All commands you see here are meant to be done in dom0 terminal.

  1. Installing debian-10-minimal…

sudo qubes-dom0-update qubes-template-debian-10-minimal

  1. clone and setup your own minimal template

qvm-clone debian-10-minimal tpl-deb-10-min

  • If you have a HiDPI display, you might want to set the dpi early at this step to avoid having to do it over and over in derived templates:

qvm-run --pass-io -u root tpl-deb-10-min ‘echo “Xft.dpi: 144” >> /etc/X11/Xresources/x11-common’

  • If you are using apt-cacher-ng already, you will need these lines (if you don’t know what that is, skip it)

qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

  • Run all updates:

qvm-run --pass-io -u root tpl-deb-10-min “apt update && apt full-upgrade -y”

  • I don’t do this, but if you want password-less sudo in your qubes, run this:

qvm-run --pass-io -u root tpl-deb-10-min “apt install --no-install-recommends qubes-core-agent-passwordless-root -y”

  • I like XTerm, so I am setting it as default template and shutdown the template:

qvm-run --pass-io -u root tpl-deb-10-min “update-alternatives --set x-terminal-emulator /usr/bin/xterm && poweroff”

  1. I don’t like keeping installed templates around and we already made our own clone … so now remove the installed template.

sudo dnf remove qubes-template-debian-10-minimal

  1. Let’s make the template for sys-net
  • we need network: qubes-core-agent-networking
  • and the network manager to select WiFi networks: qubes-core-agent-network-manager
  • gnome-keyring is needed for the network manager to remember WiFi passwords
  • firmware-iwlwifi is needed for my WiFi adapter, so this differs from device to device. If your WiFi is from Intel there is a good chance this will work.

qvm-clone tpl-deb-10-min tpl-deb-10-sys-net

qvm-run --pass-io -u root tpl-deb-10-sys-net “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y && poweroff”

  1. Now the template for sys-usb
  • qubes-usb-proxy is needed wherever you’ll want to use USB
  • qubes-input-proxy-sender is needed if you want to use a USB mouse / keyboard
  • nautilus & zenity needed to have GUI support in e.g. Qubes backup
  • policykit-1 and libblockdev-crypto2 needed to mount encrypted drives
  • ntfs-3g needed to be able to mount NTFS formatted drives

qvm-clone tpl-deb-10-min tpl-deb-10-sys-usb

qvm-run --pass-io -u root tpl-deb-10-sys-usb “apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 ntfs-3g -y && poweroff”

  1. A template for sys-firewall
  • obviously we need networking: qubes-core-agent-networking
  • and we want to make dom0 updates using sys-firewall: qubes-core-agent-dom0-updates
  • apt-cacher-ng to be able to cache updates (see notes/apt-cacher-ng at master · unman/notes · GitHub) … this is optional but very helpful if you have many templates
  • when installing apt-cacher-ng there is a interactive setup, so all the extra stuff in this install command is to suppress that and go with the default.

qvm-clone tpl-deb-10-min tpl-deb-10-sys-firewall

qvm-run --pass-io -u root tpl-deb-10-sys-firewall “DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’–force-confdef’ -o Dpkg::Options::=’–force-confold’ install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng”

qvm-run --pass-io -u root tpl-deb-10-sys-firewall “systemctl mask apt-cacher-ng && poweroff”

qvm-features tpl-deb-10-sys-firewall qubes-firewall 1

  1. template to base the management dvm on
  • needs qubes-core-agent-passwordless-root and qubes-mgmt-salt-vm-connector

qvm-clone tpl-deb-10-min tpl-deb-10-sys-mgmt

qvm-run --pass-io -u root tpl-deb-10-sys-mgmt “apt install --no-install-recommends qubes-core-agent-passwordless-root qubes-mgmt-salt-vm-connector -y && poweroff”

  1. my vault template
  • gnupg & qubes-gpg-split obviously
  • keepassx is optional, but I like my password manager to be in the vault
  • qt5-style-plugins gtk2-engines-murrine and QT_QPA_PLATFORMTHEME=gtk2 are needed to make keepassx obey the system theme

qvm-clone tpl-deb-10-min tpl-deb-10-vault

qvm-run --pass-io -u root tpl-deb-10-vault “apt install --no-install-recommends gnupg qubes-gpg-split keepassx qt5-style-plugins gtk2-engines-murrine -y”

qvm-run --pass-io -u root tpl-deb-10-vault ‘echo “QT_QPA_PLATFORMTHEME=gtk2” >> /etc/environment && poweroff’

  1. template for mail qubes
  • obviously we need network
  • having a GUI file manager is convenient to deal with attachments, but it’s not needed (you can do all from terminal too)
  • qubes-gpg-split & libgpgme11 needed by OpenPGP in Thunderbird

qvm-clone tpl-deb-10-min tpl-deb-10-mail
qvm-run --pass-io -u root tpl-deb-10-mail “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 qubes-gpg-split thunderbird libgpgme11 -y && poweroff”

  1. template for web browsing qubes
  • network
  • nautilus to deal with downloads
  • pulseaudio-qubes to allow for audio
  • firefox obviously

qvm-clone tpl-deb-10-min tpl-deb-10-browser

qvm-run --pass-io -u root tpl-deb-10-browser “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 pulseaudio-qubes firefox-esr -y && poweroff”

  1. template for signal messenger
  • network
  • nautilus to deal with downloads
  • dunst is needed for signal notifications, if no notification service is provided signal will hang
  • curl is needed to download the key for signal

qvm-clone tpl-deb-10-min tpl-deb-10-signal

qvm-run --pass-io -u root tpl-deb-10-signal “apt install --no-install-recommends curl qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 dunst -y”

  • get the signing key and add it (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-10-signal “curl --proxy http://127.0.0.1:8082/ -s http://HTTPS///updates.signal.org/desktop/apt/keys.asc | apt-key add -”

  • add the signal repository (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-10-signal ‘echo “deb [arch=amd64] http://HTTPS///updates.signal.org/desktop/apt xenial main” | tee -a /etc/apt/sources.list.d/signal-xenial.list’

  • update & install

qvm-run --pass-io -u root tpl-deb-10-signal “apt update && apt full-upgrade -y && apt install --no-install-recommends signal-desktop -y && poweroff”

  1. libreoffice and evince template (offline dvm)

qvm-clone tpl-deb-10-min tpl-deb-10-office

  • libreoffice from backports to get HiDPI toolbar icons: adding backports repository (skip if you are fine with the standard libreoffice that comes with debian 10)

qvm-run --pass-io -u root tpl-deb-10-office ‘echo “deb http://HTTPS///deb.debian.org/debian buster-backports main” > /etc/apt/sources.list.d/debian-backports.list’

  • nautilus for file management
  • audio & USB support
  • evince for PDFs

qvm-run --pass-io -u root tpl-deb-10-office “apt update && apt install --no-install-recommends qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 pulseaudio-qubes qubes-usb-proxy evince -y”

  • if you don’t want to use backports, just run the following command without the -t buster-backports parameter:

qvm-run --pass-io -u root tpl-deb-10-office “apt -t buster-backports install --no-install-recommends libreoffice libreoffice-gtk3 libreoffice-style-elementary -y && poweroff”

When you have many templates (the above are just a sample of what I have), you might want to also write a bash script to run updates. It certainly beats the Qubes Update Manager in its current form:

qvm-run -u root --pass-io tpl-deb-10-min “apt update && apt full-upgrade -y && apt autoremove -y && apt autoclean -y && poweroff”

… etc.

9 Likes

I learned a lot of new tricks from this post–thank you for taking the time to make it.

Minor nitpicks: The wording for the first line makes it sound like you’ll need to install qubes-usb-proxy on every vm you intend to mount USB on–this is not the case. This is most likely not what you intended, but I just wanted to clarify something that might confuse a complete newbie.

I’ve never had to install exfat-fuse or ntfs-3g in my sys-usb since drives are never mounted there–those packages are installed in the app-vms. Since my drives work fine, it’s likely this is unnecessary (but of minimal impact in terms of security). I haven’t tried mounting encrypting drives but I suspect it’s the same.

sys-net and sys-usb

Maybe I’m confusing this with disposable sys-vms, but for PCI HVMs I switch off meminfo writer (qvm-services [qube] meminfo-writer off) and add iommu=soft swiotlb=8192 to kernelopts (on top of what’s already there).

Also, I think I’ve found a bug with security ramifications while checking settings for this–I recently switched to the 5.10 kernel for my default VM kernel. When I checked my kernelopts just then, all of my kernelopts in all of my VMs (except Whonix) have been cleared. This means that apparmor was shut off for a while without me knowing it.

Minor nitpicks: The wording for the first line makes it sound like
you’ll need to install qubes-usb-proxy on every vm you intend to
mount USB on–this is not the case. This is most likely not what
you intended, but I just wanted to clarify something that might
confuse a complete newbie.

In my experience this package is needed in every VM you want to assign
USB devices to (e.g. printer, USB microphone, iPhone, Kindle etc.). This
is different from assigning a USB stick as a block device.

I’ve never had to install exfat-fuse or ntfs-3g in my sys-usb
since drives are never mounted there–those packages are installed
in the app-vms. Since my drives work fine, it’s likely this is
unnecessary (but of minimal impact in terms of security). I haven’t
tried mounting encrypting drives but I suspect it’s the same.

I usually mount drives in sys-usb and then send/receive files from/to
there via the respective Qubes OS function. And obviously I mount my
encrypted backup drive in sys-usb. Just different uses than yours.

Maybe I’m confusing this with, but> for PCI HVMs I switch off meminfo
writer (qvm-services [qube] meminfo-writer off) and add iommu=soft swiotlb=8192 to kernelopts (on top of what’s already there).

I do to, however not to the template with is always PVH. My post
concentrated on templates, but I can share similar scripts for setting
up qubes. However, the basic tools are the same so it would be
repetitive to post it here.

Also: I am aware I am supposed to do all of this with salt. But I
haven’t had the time/energy yet to learn how.

I had no idea! I’ve only ever used block devices with Qubes, so that didn’t occur to me. Sorry about that.

I haven’t bothered with salt either, but I suspect it’ll save me a ton of time when I set up new Qubes PCs since I’m typing everything in all the time. Tasket’s findpref script helps with this:

Dom0: Find all VMs that match a pref value, optionally set new values for them. For example, its a handy way to switch all VMs that are using a particular netvm to a different netvm.

@fiftyfourthparallel Ok, this is too much work more me now. I just have Qubes with all the nice features running smoothly: split GPG, split SSH, Yubikey, VPNs … and the most frustrating part the sys-usb (working with an external keyboard). I will follow this topic but I will wait for my next notebook to go with the minimal setup. With that I avoid an open heart (OS) surgery.

@Sven
Thanks for the scripts - I salt everything,as you may know.
I’m in the process of posting almost all my salt formulae, (except
obvious identifiers). I’ll post a link later.

2 Likes

Thank You Sven, for creating this guide for us and behemothwerecat for initiating the thread. Can you please tell me what policykit-1 and libblockdev-crypto2 do for a browser template?

Strictly for the browser you need:

* qubes-core-agent-networking obviously
* pulseaudio-qubes assuming you want to consume audio/video
* firefox-esr

If you’d like to have the nautilus file manager in addition to interact
with downloaded files via GUI instead of “just” XTerm:

* nautilus
* qubes-core-agent-nautilus for Qubes specific functionality
* zenity if you want to see the progress dialog while sending files to 

other qubes

And then, if you plan on mounting encrypted drives:

* gnome-keyring to manage the password (optional)
* policykit-1 (this was somehow needed to make it work...)
* libblockdev-crypto2 (...as was this)

This last part I have to admit I pasted in there without much thought
and I actually never do that in a browser based AppVM. So it would be
safe to remove – which I will do. Thanks for catching that!

/Sven

2 Likes

Actually, after removing it I found out what I need it for … when I mount my eInk Kindle I cannot access it without polkit installed. I don’t know why that is.

I want to apologize for my absence after initiating this thread - coffee spilled onto my keyboard, frying my machine, and it’s taken until now to get a new one I can run Qubes on.

@unman could you elaborate on the health warning for non-advanced users? Is the concern that minimal-template config is more prone to misconfiguring something that will go undetected without advanced understanding?

@Sven you’ve basically written the documentation I had in mind in one post! Legend! :pray: With this fresh machine I started to implement your instructions…

qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

Because this wasn’t in a code block, the double dash following the i flag was auto-formatted into an em dash. I was also getting an error in the sed command until I changed the delimiter to #, because / is in the argument. Perhaps if this post is turned into a github guide, it would be fitting to have a hyperlink explaining the sources.list change, as I initially found it quite confusing without being familiar with apt-cacher-ng : How to get apt-cacher-ng to download AND cache packages from Apt HTTPS repositories? - Ask Ubuntu

For clarity, I ran:
qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's#https://#http://HTTPS///#g' /etc/apt/sources.list"

qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's#https://#http://HTTPS///#g' /etc/apt/sources.list.d/*.list"

The next step (apt update && apt full-upgrade) is where I run into problems, it returned this error message

Err:1 http://HTTPS///deb.debian.org/debian buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082]
Err:2 http://HTTPS///deb.debian.org/debian-security buster/updates InRelease 500 Unable to connect [IP: 127.0.0.1 8082]
Err:3 http://HTTPS///deb.qubes-os.org/r4.0/vm buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082] ...

Did I place the delimiter in the wrong location for sed? Do I need to first install apt-cacher-ng to the tpl-deb-10-min template? You say later down it is an optional package but I use many templates so decided to go with it. Thanks so much everyone! Very hyped at how many insights have already been contributed here.

EDIT: I attempted to integrate Unman’s apt-cacher-ng instructions into Sven’s instructions, for people like me who don’t already have it enabled but need it for this minimal set up. I figured it would be easier for others to make changes on Github for this section of the instructions involving apt-cacher-ng, so made a temporary repo. You’ll notice I split step 2 (clone and setup your own minimal template) into two separate steps, to fit in the apt-cacher-ng instructions. You’ll also notice that I run into an error restarting the service before I’m done setting it up!

Perhaps if this post is turned into a github guide, it would be
fitting to have a hyperlink explaining the sources.list change, as I
initially found it quite confusing without being familiar with
apt-cacher-ng

I am actively working on restarting my website, the debian-minimal
configurations being the initial central topic. ETA ~2 weeks.

I intent to grow this over time and have both manual and salt based
instructions.

Err:1http://HTTPS///deb.debian.org/debian buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082]

Well, that’s what happens if your update proxy doesn’t run
apt-cacher-ng. I was torn whether to include it in the original post and
it seems I made the wrong call.

Do I need to first install apt-cacher-ng to the tpl-deb-10-min
template?

It needs to be installed in your updatevm. If that is not the case (yet)
then don’t use the two sed lines. You can run them later after you have
apt-cacher-ng working.

Very hyped at how many insights have already been contributed here.

I am still at the beginning of this journey but I can safely say that
basing everything on debian-minimal based templates and doing some
additional configuration (memory) … has completely transformed my
Qubes OS user experience. There is an enormous performance boost while
at the same time being confident that the attack surface is as small as
it can possibly be. And debian is STABLE. Once you have things setup,
they will stay that way for a long long time while still receiving
security updates.

Also if each qube takes less resources, it follows you can run a lot
more of them in parallel and therefore afford a much finer grained
compartmentalization strategy.

I understand the decision to start folks of with the big standard fedora
templates … but once a user is more familiar with how Qubes OS works
and has some grip on installing software in Linux and figuring out
dependencies debian-minimal is the way to go.

1 Like

I was asked to elaborate on the health warning for non-advanced users.
I speak personally, and not on behalf of Qubes project.
I think this covers two areas:
First, health warning for the user - it isn’t easy to correctly configure
a minimal template if you have little knowledge of Linux or Qubes,
and the scope for frustration and/or security errors is large.
Second, health warning for the project. There simply isn’t scope to
support naive users in this sort of endeavour, particularly when (as
now) new users don’t (or wont) read the documentation.
That’s why the project provides ready configured larger templates, which
should work out of the box.

1 Like

If you want to set the caching proxy up with salt, there is a formula
at https://github.com/unman/shaker/cacher
There are even instructions in the README

1 Like

Hello all,

Maybe I should join the club :wink: . . .

I’ve found that loginctl showed no sessions when using the appVM based on tpl-deb-10-min.

But I had installed several packages until I noticed it worked.
See next comment: libpam-systemd fixed it

Hans

Found it: libpam-systemd

dpkg -s libpam-systemd

Package: libpam-systemd
Status: install ok installed
Priority: standard
Section: admin
Installed-Size: 396
Maintainer: Debian systemd Maintainers pkg-systemd-maintainers@lists.alioth.debian.org
Architecture: amd64
Multi-Arch: same
Source: systemd
Version: 241-7~deb10u7
Provides: default-logind (= 241-7~deb10u7), logind (= 241-7~deb10u7)
Depends: libc6 (>= 2.28), libpam0g (>= 0.99.7.1), systemd (= 241-7~deb10u7), libpam-runtime (>= 1.0.1-6), dbus, systemd-sysv
Description: system and service manager - PAM module
This package contains the PAM module which registers user sessions in
the systemd control group hierarchy for logind.
.
If in doubt, do install this package.
.
Packages that depend on logind functionality need to depend on libpam-systemd.
Homepage: https://www.freedesktop.org/wiki/Software/systemd

With that installed loginctl shows:

SESSION UID USER SEAT TTY
c1 1000 user seat0 tty7

1 sessions listed.

Hans

I was told that a Fedora-based UpdateVM is required for dom0 updates (unless using Debian 11, which has DNF support, but you were speaking of Debian 10 here). Is this not the case?