Debian-10-minimal Configuration

Minor nitpicks: The wording for the first line makes it sound like
you’ll need to install qubes-usb-proxy on every vm you intend to
mount USB on–this is not the case. This is most likely not what
you intended, but I just wanted to clarify something that might
confuse a complete newbie.

In my experience this package is needed in every VM you want to assign
USB devices to (e.g. printer, USB microphone, iPhone, Kindle etc.). This
is different from assigning a USB stick as a block device.

I’ve never had to install exfat-fuse or ntfs-3g in my sys-usb
since drives are never mounted there–those packages are installed
in the app-vms. Since my drives work fine, it’s likely this is
unnecessary (but of minimal impact in terms of security). I haven’t
tried mounting encrypting drives but I suspect it’s the same.

I usually mount drives in sys-usb and then send/receive files from/to
there via the respective Qubes OS function. And obviously I mount my
encrypted backup drive in sys-usb. Just different uses than yours.

Maybe I’m confusing this with, but> for PCI HVMs I switch off meminfo
writer (qvm-services [qube] meminfo-writer off) and add iommu=soft swiotlb=8192 to kernelopts (on top of what’s already there).

I do to, however not to the template with is always PVH. My post
concentrated on templates, but I can share similar scripts for setting
up qubes. However, the basic tools are the same so it would be
repetitive to post it here.

Also: I am aware I am supposed to do all of this with salt. But I
haven’t had the time/energy yet to learn how.

1 Like

I had no idea! I’ve only ever used block devices with Qubes, so that didn’t occur to me. Sorry about that.

I haven’t bothered with salt either, but I suspect it’ll save me a ton of time when I set up new Qubes PCs since I’m typing everything in all the time. Tasket’s findpref script helps with this:

Dom0: Find all VMs that match a pref value, optionally set new values for them. For example, its a handy way to switch all VMs that are using a particular netvm to a different netvm.

@fiftyfourthparallel Ok, this is too much work more me now. I just have Qubes with all the nice features running smoothly: split GPG, split SSH, Yubikey, VPNs … and the most frustrating part the sys-usb (working with an external keyboard). I will follow this topic but I will wait for my next notebook to go with the minimal setup. With that I avoid an open heart (OS) surgery.

@Sven
Thanks for the scripts - I salt everything,as you may know.
I’m in the process of posting almost all my salt formulae, (except
obvious identifiers). I’ll post a link later.

3 Likes

Thank You Sven, for creating this guide for us and behemothwerecat for initiating the thread. Can you please tell me what policykit-1 and libblockdev-crypto2 do for a browser template?

Strictly for the browser you need:

* qubes-core-agent-networking obviously
* pulseaudio-qubes assuming you want to consume audio/video
* firefox-esr

If you’d like to have the nautilus file manager in addition to interact
with downloaded files via GUI instead of “just” XTerm:

* nautilus
* qubes-core-agent-nautilus for Qubes specific functionality
* zenity if you want to see the progress dialog while sending files to 

other qubes

And then, if you plan on mounting encrypted drives:

* gnome-keyring to manage the password (optional)
* policykit-1 (this was somehow needed to make it work...)
* libblockdev-crypto2 (...as was this)

This last part I have to admit I pasted in there without much thought
and I actually never do that in a browser based AppVM. So it would be
safe to remove – which I will do. Thanks for catching that!

/Sven

3 Likes

Actually, after removing it I found out what I need it for … when I mount my eInk Kindle I cannot access it without polkit installed. I don’t know why that is.

I want to apologize for my absence after initiating this thread - coffee spilled onto my keyboard, frying my machine, and it’s taken until now to get a new one I can run Qubes on.

@unman could you elaborate on the health warning for non-advanced users? Is the concern that minimal-template config is more prone to misconfiguring something that will go undetected without advanced understanding?

@Sven you’ve basically written the documentation I had in mind in one post! Legend! :pray: With this fresh machine I started to implement your instructions…

qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

Because this wasn’t in a code block, the double dash following the i flag was auto-formatted into an em dash. I was also getting an error in the sed command until I changed the delimiter to #, because / is in the argument. Perhaps if this post is turned into a github guide, it would be fitting to have a hyperlink explaining the sources.list change, as I initially found it quite confusing without being familiar with apt-cacher-ng : How to get apt-cacher-ng to download AND cache packages from Apt HTTPS repositories? - Ask Ubuntu

For clarity, I ran:
qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's#https://#http://HTTPS///#g' /etc/apt/sources.list"

qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's#https://#http://HTTPS///#g' /etc/apt/sources.list.d/*.list"

The next step (apt update && apt full-upgrade) is where I run into problems, it returned this error message

Err:1 http://HTTPS///deb.debian.org/debian buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082]
Err:2 http://HTTPS///deb.debian.org/debian-security buster/updates InRelease 500 Unable to connect [IP: 127.0.0.1 8082]
Err:3 http://HTTPS///deb.qubes-os.org/r4.0/vm buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082] ...

Did I place the delimiter in the wrong location for sed? Do I need to first install apt-cacher-ng to the tpl-deb-10-min template? You say later down it is an optional package but I use many templates so decided to go with it. Thanks so much everyone! Very hyped at how many insights have already been contributed here.

EDIT: I attempted to integrate Unman’s apt-cacher-ng instructions into Sven’s instructions, for people like me who don’t already have it enabled but need it for this minimal set up. I figured it would be easier for others to make changes on Github for this section of the instructions involving apt-cacher-ng, so made a temporary repo. You’ll notice I split step 2 (clone and setup your own minimal template) into two separate steps, to fit in the apt-cacher-ng instructions. You’ll also notice that I run into an error restarting the service before I’m done setting it up!

1 Like

Perhaps if this post is turned into a github guide, it would be
fitting to have a hyperlink explaining the sources.list change, as I
initially found it quite confusing without being familiar with
apt-cacher-ng

I am actively working on restarting my website, the debian-minimal
configurations being the initial central topic. ETA ~2 weeks.

I intent to grow this over time and have both manual and salt based
instructions.

Err:1http://HTTPS///deb.debian.org/debian buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082]

Well, that’s what happens if your update proxy doesn’t run
apt-cacher-ng. I was torn whether to include it in the original post and
it seems I made the wrong call.

Do I need to first install apt-cacher-ng to the tpl-deb-10-min
template?

It needs to be installed in your updatevm. If that is not the case (yet)
then don’t use the two sed lines. You can run them later after you have
apt-cacher-ng working.

Very hyped at how many insights have already been contributed here.

I am still at the beginning of this journey but I can safely say that
basing everything on debian-minimal based templates and doing some
additional configuration (memory) … has completely transformed my
Qubes OS user experience. There is an enormous performance boost while
at the same time being confident that the attack surface is as small as
it can possibly be. And debian is STABLE. Once you have things setup,
they will stay that way for a long long time while still receiving
security updates.

Also if each qube takes less resources, it follows you can run a lot
more of them in parallel and therefore afford a much finer grained
compartmentalization strategy.

I understand the decision to start folks of with the big standard fedora
templates … but once a user is more familiar with how Qubes OS works
and has some grip on installing software in Linux and figuring out
dependencies debian-minimal is the way to go.

4 Likes

I was asked to elaborate on the health warning for non-advanced users.
I speak personally, and not on behalf of Qubes project.
I think this covers two areas:
First, health warning for the user - it isn’t easy to correctly configure
a minimal template if you have little knowledge of Linux or Qubes,
and the scope for frustration and/or security errors is large.
Second, health warning for the project. There simply isn’t scope to
support naive users in this sort of endeavour, particularly when (as
now) new users don’t (or wont) read the documentation.
That’s why the project provides ready configured larger templates, which
should work out of the box.

4 Likes

If you want to set the caching proxy up with salt, there is a formula
at https://github.com/unman/shaker/cacher
There are even instructions in the README

1 Like

Hello all,

Maybe I should join the club :wink: . . .

I’ve found that loginctl showed no sessions when using the appVM based on tpl-deb-10-min.

But I had installed several packages until I noticed it worked.
See next comment: libpam-systemd fixed it

Hans

Found it: libpam-systemd

dpkg -s libpam-systemd

Package: libpam-systemd
Status: install ok installed
Priority: standard
Section: admin
Installed-Size: 396
Maintainer: Debian systemd Maintainers pkg-systemd-maintainers@lists.alioth.debian.org
Architecture: amd64
Multi-Arch: same
Source: systemd
Version: 241-7~deb10u7
Provides: default-logind (= 241-7~deb10u7), logind (= 241-7~deb10u7)
Depends: libc6 (>= 2.28), libpam0g (>= 0.99.7.1), systemd (= 241-7~deb10u7), libpam-runtime (>= 1.0.1-6), dbus, systemd-sysv
Description: system and service manager - PAM module
This package contains the PAM module which registers user sessions in
the systemd control group hierarchy for logind.
.
If in doubt, do install this package.
.
Packages that depend on logind functionality need to depend on libpam-systemd.
Homepage: systemd

With that installed loginctl shows:

SESSION UID USER SEAT TTY
c1 1000 user seat0 tty7

1 sessions listed.

Hans

I was told that a Fedora-based UpdateVM is required for dom0 updates (unless using Debian 11, which has DNF support, but you were speaking of Debian 10 here). Is this not the case?

@adw I’m getting dom0 updates just fine. If it were true that one needs a Fedora based qube to download dom0 updates, using sys-whonix as updatevm wouldn’t work either.

Is this not because a qubes dnf was provided to cover cases where dnf was
not available in Debian?

Another data point: debian-10-minimal updateVM works fine for me on both R4.1 and R4.0

This recently stopped working for me and I needed to install qubes-core-agent-passwordless-root to make it work again. Some light research indicates that this is all connected somehow to policykit but I don’t really understand what’s happening.

Also there isn’t really any good reason not to install qubes-core-agent-passwordless-root so I didn’t care much to investigate further either.

@Sven, @unman: Thanks for clarifying. Out of curiosity, does this mean that you don’t need any Fedora VMs at all, i.e., that it’s now possible to use only Debian VMs? Or is there still something for which you have to keep at least one Fedora VM around? My understanding is that you might need a Fedora mgmt VM to manage other Fedora VMs, but if you don’t have any, then that wouldn’t apply either.

1 Like

8 posts were merged into an existing topic: Is it possible to use only Debian VMs? (no Fedora VMs)