Debian-10-minimal Configuration

I was told that a Fedora-based UpdateVM is required for dom0 updates (unless using Debian 11, which has DNF support, but you were speaking of Debian 10 here). Is this not the case?

@adw I’m getting dom0 updates just fine. If it were true that one needs a Fedora based qube to download dom0 updates, using sys-whonix as updatevm wouldn’t work either.

Is this not because a qubes dnf was provided to cover cases where dnf was
not available in Debian?

Another data point: debian-10-minimal updateVM works fine for me on both R4.1 and R4.0

This recently stopped working for me and I needed to install qubes-core-agent-passwordless-root to make it work again. Some light research indicates that this is all connected somehow to policykit but I don’t really understand what’s happening.

Also there isn’t really any good reason not to install qubes-core-agent-passwordless-root so I didn’t care much to investigate further either.

@Sven, @unman: Thanks for clarifying. Out of curiosity, does this mean that you don’t need any Fedora VMs at all, i.e., that it’s now possible to use only Debian VMs? Or is there still something for which you have to keep at least one Fedora VM around? My understanding is that you might need a Fedora mgmt VM to manage other Fedora VMs, but if you don’t have any, then that wouldn’t apply either.

1 Like

8 posts were merged into an existing topic: Is it possible to use only Debian VMs? (no Fedora VMs)

Has anyone figured out which packages are required for Thunderbird to work with Split GPG in the template on which the email VM is based? For some reason, Thunderbird is not using my GPG backend VM when based on debian-10-minimal, but fedora-32-minimal works. Here’s what the debian-10-minimal template already has installed:

qubes-core-agent-networking
qubes-core-agent-nautilus
nautilus
qubes-gpg-split
thunderbird
qubes-thunderbird

Edit: Ah, I’m missing libgpgme11. I had missed this line:

Thanks, @Sven!

Has anyone figured out which packages are required for Thunderbird to
work with Split GPG in the template on which the email VM is based?

Sure. Works for me with the below packages:

  • qubes-core-agent-networking
  • qubes-core-agent-nautilus nautilus zenity
  • thunderbird
  • qubes-gpg-split libgpgme11

For some reason, Thunderbird is not using my GPG backend VM when
based on debian-10-minimal, but fedora-32-minimal works.

libgpgme11 is definitely needed, it’s normally a dependency of gnupg

In addition:

  • have you created /rw/config/gpg-split-domain?
  • how does your qubes.Gpg policy file look?
  • if you do ‘qubes-gpg-client-wrapper -k’ … what happens?

@adw sorry didn’t see your edit until now. I’m usually interfacing via email and edits after the initial 10 minutes don’t make it into the emails.

In cases like this it would be much appreciated to reply instead of edit.

1 Like

@Sven did that blog post ever drop? not sure what the url is :slight_smile:

1 Like

Not yet. If you like you can simply add /Sven to your feed reader and then you can’t miss it.

3 Likes

I’ve kept fedora template because there are more up to date packages. For example keepassxc. While in the debain 10 repo has the keepassxc version is like 2.3.4, fedora 33 repo has the keepassxc version like 2.6.4-2. Do you know maybe how can someone use the latest keepassxc package in debian-10 template besides snap / flatpak?

1 Like

I’ve kept fedora template because there are more up to date packages. For example keepassxc. While in the debain 10 repo has the keepassxc version is like 2.3.4, fedora 33 repo has the keepassxc version like 2.6.4-2. Do you know maybe how can someone use the latest keepassxc package in debian-10 template besides snap / flatpak?

buster-backports has 2.6.2 - not quite the latest, but it’s Debian.
https://backports.debian.org/

3 Likes

Interesting. I was led to believe that Debian often had newer versions of packages than Fedora, but after checking a few common programs, it appears that is not really the case.

Ah, I was using a site that compares package versions across distros, but it does not include the Debian security updates repo, which has some newer packages, so it is not quite as bad as I thought. However, even taking this into account, Fedora stable does still appear to have newer versions than Debian stable for some popular packages.

I’d have some question about your awesome description:

I like XTerm, so I am setting it as default template and shutdown the template:

Isn’t XTerm the default terminal emulator? I think you wanted to write default terminal emulator instead of default template. Or not?

“DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’–force-confdef’ -o Dpkg::Options::=’–force-confold’ install

When creating sys-firewall’s template the part of the installation command linked above: does it apply to the apt-cacher-ng installation, so you basically not allow the http tunnel?

If i’m not using the apt-cacher-ng right now, but i’d like to use it and installing it to the sys-firewall template: when do i need to apply these commands:

If you are using apt-cacher-ng already, you will need these lines (if you don’t know what that is, skip it)

qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

When i cloned the debian-10-minimal template to tpl-deb-10-min, or after i’ve created the sys-firewall template and installed apt-cacher-ng package?

Unfortunately i get an error when trying to run sys-firewall’s installing command:

qvm-run --pass-io -u root tpl-deb-10-sys-firewall “DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=‘-force-confdef’ -o Dpkg::Options::=‘-force-confold’ install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng”

The above command was copied from my dom0 terminal after i typed and executed it, and this was the output:

Fetched 19.2 MB in 7s (2,744 kB/s)
dpkg: error: unknown option -o

Type dpkg --help for help about installing and deinstalling packages [*];
Use 'apt' or 'aptitude' for user-friendly package management;
Type dpkg -Dhelp for a list of dpkg debug flag values;
Type dpkg --force-help for a list of forcing options;
Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !
E: Sub-process /usr/bin/dpkg returned an error code (2)

Is there any way i could copy and paste commands to dom0 just to be sure i don’t mistype anything? Or is there maybe any problem with the command itself?

Thanks any help!

I like XTerm, so I am setting it as default template and shutdown
the template:

Isn’t XTerm the default terminal emulator? I think you wanted to
write default terminal emulator instead of default template. Or not?

You are right, this should have been “setting it as default terminal
emulator”. I can’t edit the original post anymore, but I think in
context it is still understandable what I meant. Thank you for pointing
it out!

“DEBIAN_FRONTEND=‘noninteractive’ apt-get -y
-o
Dpkg::Options::=’–force-confdef’ -o
Dpkg::Options::=’–force-confold’ install

When creating sys-firewall’s template the part of the installation
command linked above: does it apply to the apt-cacher-ng
installation, so you basically not allow the http tunnel?

In this specific case that is the effect. What the command does is to
install whatever follows with it’s defaults but it won’t overwrite
already existing configurations. This way you won’t have to interact.

If i’m not using the apt-cacher-ng right now, but i’d like to use it
and installing it to the sys-firewall template: when do i need to
apply these commands:

If you are using apt-cacher-ng already, you will need these lines
(if you don’t know what that is, skip it)

qvm-run --pass-io -u root tpl-deb-10-min “sed -i –
‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i –
‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

When i cloned the debian-10-minimal template to tpl-deb-10-min, or
after i’ve created the sys-firewall template and installed
apt-cacher-ng package?

It will be rather obvious when you need them. After you installed
apt-cacher-ng correctly and it has taken over the role of tinyproxy you
will see error messages when calling ‘apt’ because it no longer gets a
connection to https repositories.

That’s when you need to change all the URLs from https:// to
http://HTTPS/// which the above commands accomplish.

Thanks any help!

You are very welcome. @unman is the one maintaining these templates, he
wrote the notes most of this is based on and has answered patiently all
my questions. All credit goes to him, all mistakes are mine.

1 Like

Thanks for clarifying my questions for me!

Could you maybe address my last question about the sys-firewall’s installation command? I’m not sure if i mistyped something or there is something else. Or is it a command coming from @unman and i should ask himself?

Could you maybe address my last question about the sys-firewall’s
installation command?
You need to change the URLs in …

  • /etc/apt/sources.list
  • all *.list files in the /etc/apt/sources.list.d directory
  • of all templates

after you installed apt-cacher-ng in sys-firewall according to
unman’s notes.

Be warned: if you do so your Fedora qubes won’t update anymore without
additional work with apt-cacher-ng configuration. It’s not an issue for
me as I don’t use Fedora qubes, but if you do there is more work ahead
of you.

So if you go ahead you need to apply the commands not only to
tpl-deb-10-min but to all of your debian based templates.