Hello.
I’m a beginner. But do i install apps in dom0 or in templates? Or in Domain/services.
I don’t really understand how this OS works, but i like it.
Right now if i want to install something that could be used in all Domains i install something in the debian template. But should i install it in dom0 instead? dom0 should also work in all domains right…
I know it’s a beginner question, but could someone please explain it a bit? Thanks
Hi, welcome to the community! I’m glad you like Qubes OS.
If you want to benefit from Qubes OS main advantage - security through isolation - you should never install anything in dom0. dom0 is only needed to manage the virtual machines and show them.
AppVMs get their root filesystem from template qubes, Fedora or Debian, by default. This is how Qubes OS isolation works. So you install software in TemplateVMs. You can find instructions how to install software here: https://www.qubes-os.org/doc/software-update-domu.
Thanks. So when i install in template debian 10, it shows up automatically in all domains (personal, work and so on), and maybe also services?
So i should never install in lets say domain work right? Instead just move it in the application picture you linked. That’s how i have been doing it. But i read this so that’s why i asked:
https://www.bryceguinta.me/install-configure-and-autostart-redshift-on-qubes-40.html
Thanks for your reply.
edit: Do you know where desktop wallpapers are located in qubes while you’re here…
Not all domains but only those based on debian-10 template.
“work” virtual machine is an AppVM by default. Every time you reboot it, it’s root filesystem with all installed software is reset to the one from its TemplateVM. You can install anything in “work”, but it will disappear after a reboot.
redshift is an exclusion, because it’s about displaying. (Soon, there will be another dedicated VM for that.) You have to install it to dom0 to apply to the whole system and not to some virtual machines. This is potentially dangerous for your security; you should ideally verify its source code before doing that. If it’s malicious, it can compromise everything in your system, because dom0 has infinite powers.
Aha! Clever. I did not get that. I thought only the two disposable ones got reset.
I like Qubes it’s really clean. Another question if you know… Sometimes i get issues with the browser and right and left mouse. When i click it. Might be an issue with not running fullscreen or similar. Have you experienced browser freezes sometimes? What do you do about it?
And if i install browser addons the browser stays the same even if the AppVM resets, and thats’ good. How does that work? It’s good the browser don’t reset. In disposable appvm’s the browser resets also. But in appvm’s it might be the filesystem then.
Thanks
To add more desktop wallpapers
search the web for picture in same the resolution as your screen,
right click the picture > view image,
press alt+f11
press print screen (keyboard button)
save picture
right click desktop > open terminal here
enter ‘sudo mv ~/Pictures/* /usr/share/backgrounds/’
done
To select desktop wallpaper
right click on desktop > desktop settings
your picture should be there
Disposable VMs are fully reset each reboot. You can customize them, so they always return to the state which you prefer.
For AppVMs only root partition is reset while home partition keeps all changes. This is why the browser stays the same after reboots.
Could it be this problem? window focus issue · Issue #3267 · QubesOS/qubes-issues · GitHub
If I understand you right, my personal workaround is to press two times alt+tab.
Could it be this issue? Screen freezing in Qubes R4.0.4 with kernel 5.10 · Issue #6458 · QubesOS/qubes-issues · GitHub
I personally do not experience such problem.
Ok. But that means that viruses go away in the disposable but stay on the appVM if some virus would infect while online then? Just curious. Thanks about customize… I want to add browser addons there also! Gonna check later on.
It’s nice with cubes! I have like 5 computers in one machine. Clever!
Im not sure what happens sometimes… But it works nice most of the time.
About the freeze… No it might be my mouse… I sometimes need to right click instead of left to get response… Something wierd. But if i plug in an external mouse that goes away sometimes. Works most of the time so it’s a small issue.
Thanks for the replies!
Thanks!
When im getting so good help and it’s not needed to start 5 different threads… Could you tell me how i should install OTPclient (2FA can be good actually.) in Qubes? I have not managed to install that one yet. In a debian template. Thanks!
It’s just one click and easy to use when installed. And its really good to use if hackers get passwords on forums and hack emails like they do all the time. Some better security that way.
https://haveibeenpwned.com/
Excluding unknown sophisticated exploits, malware would only remain in the AppVM (in this context “TemplateBasedVM”) if it infects the persistent directories, such as /home or /rw (or any you have set to be persistent with bind-dirs). The rest of the operating system is read-only from within the AppVM and loaded into RAM along with it. Only by infecting the TemplateVM on which it is based can any malware persist outside of the AppVM’s persistent directories.
So, if an AppVM is infected, the worst-case scenario (the “burn-it-to-the-ground” option) would be to delete the qube and sacrifice all its user data, then recreate a fresh one based on the same clean TemplateVM. Similarly, an infected TemplateVM can be removed and reinstalled, though greater risk is involved with TemplateVMs because many AppVMs may be based on it and any (or all) of them may become infected via the TemplateVM through a sufficiently sophisticated attack. Routine infections, such as adware on a TemplateVM you misused and browsed the Internet with (don’t do this), will almost certainly remain contained within the TemplateVM and recreating it should suffice to confidently remove any trace of the infection without having to recreate all its dependent AppVMs. Doing so will sacrifice all customization done to the TemplateVM, though, such as modified configuration files or installed applications.
I am new to Qubes OS myself, so there may be errors in the above that someone more familiar with the subject can correct. This thread and @deeplow’s reply to it may help you better understand these things.
A major exception to all this is with StandaloneVMs, which are basically cloned copies of a TemplateVM that are then run as fully virtualized and self-contained qubes.
Regards,
John
I’m glad I could help you. However, for the benefit of other users, it nevertheless would be good if you created a dedicated thread for that… unless this link helps you:
In AppVM viruses can only survive if they are located in a persistent place like /home as @JTeller3 correctly pointed out.
In dispVM, viruses can only survive a reboot if they found their way into its DisposableVM Template or TemplateVM.
Thanks! Qubes is more sophisticated then viruses then. Nice 
And if you don’t want people to read your work pdf lets say, you could just send it to an isolated vault without internet, and that way the attacker would have a hard time accessing that pdf as example. And yes it’s great that you can just remove an infected AppVm like that, and reinstall it quick. Much faster then installing a new OS the normal way if you had a virus or something. Good reply
thanks. I’m gonna try some other day. And if i don’t manage i can create a new one later on.
Yeah. I understand more now. Good thinking whoever came up with this idea in an OS! Arigato