Debian-10-minimal Configuration

I’m not sure what was the problem witht the first command at the beginning of the thread, but with this one it’s worked fine. Thanks!

1 Like

Hello sven, is there any reason why you cloning many vm? Instead of using template based?

I think that Sven clones many templates from a minimal template, (and
possibly also clones many VMs.)
I do the same.

I do this to minimise the attack surface in each TemplateBasedVM, by
only having the applications and libraries that are relevant to that
qube or qube type.
Using a caching proxy minimises the pain of having multiple templates.

4 Likes

Indeed, I clone from the minimal template and then install a specific feature or app.

Advantages as @unman already pointed out:

  • reduced attack surface
  • reduced memory requirements
  • allows for much more fine grained compartmentalization (e.g my “work” domain consists of a mail qube, several specialized web qubes, several project qubes with dev tools, a teams qube and a windows qube).

Totally just borrowed your reply to add that to the docs. Hope you don’t mind.

1 Like

3 posts were split to a new topic: What Threats do Minimal Templates Protect Against?

Just out of curiosity @Sven do you find any situations where the full Debian templates are preferable to the minimal templates?

They are preferable at least when the user does not want to deal with configuration at all and just wants to use the system :slight_smile: (and the threat model is less strict of course)

I have come to appreciate Debian over Fedora in general for:

  • longer release cycles / less upgrades
  • more stability

That is true for all Debian templates. If one doesn’t have the need or inclination to configure many minimal-based templates, Debian full is certainly a good choice.

2 Likes

Hello @Sven . Thanks for your posts here, I was now able to change most of the templates to debian-10-minimal and that is just great.

Did you create a template with all programs as “Disposable VM Template”? Or how do you solve it if you receive for example a PDF, a Libreoffice document, a link via email and want to open it in a disposable vm?

@user45507 asked:

Did you create a template with all programs as “Disposable VM Template”? Or how do you solve it if you receive for example a PDF, a Libreoffice document, a link via email and want to open it in a disposable vm?

online-dvm based on deb-10-web template (firefox only)
offline-dvm based on deb-10-office template (libreoffice, evince, vlc)

offline-dvm is the default disposable tempalte.
deb-10-office is only used for offline-dvm.

qubes.OpenURL policy is set to always ask, so that’s when I select ‘Disposable (online-dvm)’

Works great!

2 Likes

Thank you for your work.
Let me find out why you prefer to use intel based computers, as I know intel has a lot of holes, wouldn’t it be better to choose an amd based computer? For example G505s

2 posts were split to a new topic: How to configure qubes.OpenURL to ask which qube to open the URL in?

@deeplow / @plexus … let’s please split this out into a new topic “Do you prefer Intel to AMD?”

@rakibiy676 the answer is: I don’t have a preference. I just happen to run Intel on my Qubes machine. Once there is a fully open / user controlled alternative I will be one of the first to jump.

The Intel vs AMD is off topic from Qubes Community user support IMHO. I could split this out to “all around Qubes” but the posting user will not see the thread any more, which defeats the object.

It would be great

Wouldn’t you also need qubes-core-agent-passwordless-root to mount encrypted drives though nautilus? If I don’t have it, it would prompt, “Unable to access location. Not authorized to perform operation”.

edit: delete. I saw your subsequent comments on passwordless-root.

1 Like

There were some small changes to Signal. I was able to get a new Debian 11 Minimal template working with this:

  1. template for Signal messenger
  • network
  • nautilus to deal with downloads
  • dunst is needed for signal notifications, if no notification service is provided signal will hang
  • curl is needed to download the key for signal

qvm-clone tpl-deb-11-min tpl-deb-11-signal

qvm-run --pass-io -u root tpl-deb-11-signal “apt install --no-install-recommends curl qubes-app-shutdown-idle qubes-core-agent-networking qubes-usb-proxy qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 dunst xfce4-notifyd -y”

get the signing key and add it (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-11-signal "curl --proxy http://127.0.0.1:8082/ -s http://HTTPS///updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null 2>&1"

add the signal repository (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-11-signal ‘echo “deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] http://HTTPS///updates.signal.org/desktop/apt xenial main” | tee -a /etc/apt/sources.list.d/signal-xenial.list’

update & install

qvm-run --pass-io -u root tpl-deb-11-signal “apt update && apt full-upgrade -y && apt install --no-install-recommends signal-desktop -y && poweroff”

Hi. I have a small problem with my Debian 11 minimal configuration… I can not open a USB device when I assign it via sys-usb (also Debian 11, Qubes 4.1.0-rc4 based) to one of my Debian 11 minimal AppVMs (qubes-usb-proxy is installed). I get the message: Unable to access “xxx”.
Not authorized to perform operation (polkit authority not available and caller is not uid 0)

Does anyone have an idea?

Minimal templates do not have the passwordless sudo package installed.
You need to be root (or have root access) to mount the device.

You have a number of options:

  1. Install the passwordless sudo package in the template.
  2. Open a root terminal in the qube - qvm-run -u root xterm and mount
    the drive.
  3. Mount from dom0 - qvm-run -u root mount /dev/XXX /mnt
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes