Debian-10-minimal Configuration

8 posts were merged into an existing topic: Is it possible to use only Debian VMs? (no Fedora VMs)

Has anyone figured out which packages are required for Thunderbird to work with Split GPG in the template on which the email VM is based? For some reason, Thunderbird is not using my GPG backend VM when based on debian-10-minimal, but fedora-32-minimal works. Here’s what the debian-10-minimal template already has installed:

qubes-core-agent-networking
qubes-core-agent-nautilus
nautilus
qubes-gpg-split
thunderbird
qubes-thunderbird

Edit: Ah, I’m missing libgpgme11. I had missed this line:

Thanks, @Sven!

Has anyone figured out which packages are required for Thunderbird to
work with Split GPG in the template on which the email VM is based?

Sure. Works for me with the below packages:

  • qubes-core-agent-networking
  • qubes-core-agent-nautilus nautilus zenity
  • thunderbird
  • qubes-gpg-split libgpgme11

For some reason, Thunderbird is not using my GPG backend VM when
based on debian-10-minimal, but fedora-32-minimal works.

libgpgme11 is definitely needed, it’s normally a dependency of gnupg

In addition:

  • have you created /rw/config/gpg-split-domain?
  • how does your qubes.Gpg policy file look?
  • if you do ‘qubes-gpg-client-wrapper -k’ … what happens?

@adw sorry didn’t see your edit until now. I’m usually interfacing via email and edits after the initial 10 minutes don’t make it into the emails.

In cases like this it would be much appreciated to reply instead of edit.

1 Like

@Sven did that blog post ever drop? not sure what the url is :slight_smile:

1 Like

Not yet. If you like you can simply add Sven Semmler to your feed reader and then you can’t miss it.

2 Likes

I’ve kept fedora template because there are more up to date packages. For example keepassxc. While in the debain 10 repo has the keepassxc version is like 2.3.4, fedora 33 repo has the keepassxc version like 2.6.4-2. Do you know maybe how can someone use the latest keepassxc package in debian-10 template besides snap / flatpak?

1 Like

I’ve kept fedora template because there are more up to date packages. For example keepassxc. While in the debain 10 repo has the keepassxc version is like 2.3.4, fedora 33 repo has the keepassxc version like 2.6.4-2. Do you know maybe how can someone use the latest keepassxc package in debian-10 template besides snap / flatpak?

buster-backports has 2.6.2 - not quite the latest, but it’s Debian.
https://backports.debian.org/

3 Likes

Interesting. I was led to believe that Debian often had newer versions of packages than Fedora, but after checking a few common programs, it appears that is not really the case.

Ah, I was using a site that compares package versions across distros, but it does not include the Debian security updates repo, which has some newer packages, so it is not quite as bad as I thought. However, even taking this into account, Fedora stable does still appear to have newer versions than Debian stable for some popular packages.

I’d have some question about your awesome description:

I like XTerm, so I am setting it as default template and shutdown the template:

Isn’t XTerm the default terminal emulator? I think you wanted to write default terminal emulator instead of default template. Or not?

“DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’–force-confdef’ -o Dpkg::Options::=’–force-confold’ install

When creating sys-firewall’s template the part of the installation command linked above: does it apply to the apt-cacher-ng installation, so you basically not allow the http tunnel?

If i’m not using the apt-cacher-ng right now, but i’d like to use it and installing it to the sys-firewall template: when do i need to apply these commands:

If you are using apt-cacher-ng already, you will need these lines (if you don’t know what that is, skip it)

qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

When i cloned the debian-10-minimal template to tpl-deb-10-min, or after i’ve created the sys-firewall template and installed apt-cacher-ng package?

Unfortunately i get an error when trying to run sys-firewall’s installing command:

qvm-run --pass-io -u root tpl-deb-10-sys-firewall “DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’-force-confdef’ -o Dpkg::Options::=’-force-confold’ install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng”

The above command was copied from my dom0 terminal after i typed and executed it, and this was the output:

Fetched 19.2 MB in 7s (2,744 kB/s)
dpkg: error: unknown option -o

Type dpkg --help for help about installing and deinstalling packages [*];
Use 'apt' or 'aptitude' for user-friendly package management;
Type dpkg -Dhelp for a list of dpkg debug flag values;
Type dpkg --force-help for a list of forcing options;
Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !
E: Sub-process /usr/bin/dpkg returned an error code (2)

Is there any way i could copy and paste commands to dom0 just to be sure i don’t mistype anything? Or is there maybe any problem with the command itself?

Thanks any help!

I like XTerm, so I am setting it as default template and shutdown
the template:

Isn’t XTerm the default terminal emulator? I think you wanted to
write default terminal emulator instead of default template. Or not?

You are right, this should have been “setting it as default terminal
emulator”. I can’t edit the original post anymore, but I think in
context it is still understandable what I meant. Thank you for pointing
it out!

“DEBIAN_FRONTEND=‘noninteractive’ apt-get -y
-o

Dpkg::Options::=’–force-confdef’ -o
Dpkg::Options::=’–force-confold’ install

When creating sys-firewall’s template the part of the installation
command linked above: does it apply to the apt-cacher-ng
installation, so you basically not allow the http tunnel?

In this specific case that is the effect. What the command does is to
install whatever follows with it’s defaults but it won’t overwrite
already existing configurations. This way you won’t have to interact.

If i’m not using the apt-cacher-ng right now, but i’d like to use it
and installing it to the sys-firewall template: when do i need to
apply these commands:

If you are using apt-cacher-ng already, you will need these lines
(if you don’t know what that is, skip it)

qvm-run --pass-io -u root tpl-deb-10-min “sed -i –
‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i –
‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

When i cloned the debian-10-minimal template to tpl-deb-10-min, or
after i’ve created the sys-firewall template and installed
apt-cacher-ng package?

It will be rather obvious when you need them. After you installed
apt-cacher-ng correctly and it has taken over the role of tinyproxy you
will see error messages when calling ‘apt’ because it no longer gets a
connection to https repositories.

That’s when you need to change all the URLs from https:// to
http://HTTPS/// which the above commands accomplish.

Thanks any help!

You are very welcome. @unman is the one maintaining these templates, he
wrote the notes most of this is based on and has answered patiently all
my questions. All credit goes to him, all mistakes are mine.

1 Like

Thanks for clarifying my questions for me!

Could you maybe address my last question about the sys-firewall’s installation command? I’m not sure if i mistyped something or there is something else. Or is it a command coming from @unman and i should ask himself?

Could you maybe address my last question about the sys-firewall’s
installation command?
You need to change the URLs in …

  • /etc/apt/sources.list
  • all *.list files in the /etc/apt/sources.list.d directory
  • of all templates

after you installed apt-cacher-ng in sys-firewall according to
unman’s notes.

Be warned: if you do so your Fedora qubes won’t update anymore without
additional work with apt-cacher-ng configuration. It’s not an issue for
me as I don’t use Fedora qubes, but if you do there is more work ahead
of you.

So if you go ahead you need to apply the commands not only to
tpl-deb-10-min but to all of your debian based templates.

Sorry, i think i wasn’t too specific with my latest post. I’m stuck at the installation stage. In dom0 if i type the command after cloning the tpl-deb-10-min to tpl-deb-10-sys-firewall:

qvm-run --pass-io -u root tpl-deb-10-sys-firewall “DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’-force-confdef’ -o Dpkg::Options::=’-force-confold’ install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng”`

I got this error:

Fetched 19.2 MB in 7s (2,744 kB/s)
dpkg: error: unknown option -o

Type dpkg --help for help about installing and deinstalling packages [*];
Use 'apt' or 'aptitude' for user-friendly package management;
Type dpkg -Dhelp for a list of dpkg debug flag values;
Type dpkg --force-help for a list of forcing options;
Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !
E: Sub-process /usr/bin/dpkg returned an error code (2)

And i’m not able to pass through the error. That’s why i thought maybe i mistyped the command, or there is something else.

Hi @onequbesuser from your other posting I conclude you have meanwhile figured it out and successfully installed everything. But for the sake of other readers let me answer here: The only thing weird with your command are the actual quote signs and that might be introduced by the forum. Also there was one additional single quote at the end that didn’t belong there but that too might be an artifact of trying to format things as ‘preformated text’ here.

Here is how is should look:

qvm-run --pass-io -u root tpl-deb-10-sys-firewall "DEBIAN_FRONTEND='noninteractive' apt-get -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng"

1 Like

Thanks! While i really almost installed everything i wanted with the minimal debian, the sys-* VMs are waited for this. I will try the command tomorrow and will report back!

Thanks for putting the instructions together!

1 Like

I’m not sure what was the problem witht the first command at the beginning of the thread, but with this one it’s worked fine. Thanks!

1 Like

Hello sven, is there any reason why you cloning many vm? Instead of using template based?

I think that Sven clones many templates from a minimal template, (and
possibly also clones many VMs.)
I do the same.

I do this to minimise the attack surface in each TemplateBasedVM, by
only having the applications and libraries that are relevant to that
qube or qube type.
Using a caching proxy minimises the pain of having multiple templates.

4 Likes