External repositories, pip, snap, appimage persistent installations in template/appVM

Introduction

Hi, I’m quiet lost in installing programs mentioned in title. If I understood correctly, for external repositories I need to allow domains in firewall.

Question

Could someone help me set up mentioned installation methods step-by-step?

My tries

I tried installed snap then I tried IntelliJ Idea. Error network is unreachable occurred on fedora and debain template

I tried pip3 install clickable (for Ubuntu Touch) with Temporary failure in name resolution error.

I also tried element.io but there was no connection to the internet.

My advice for pip (and perhaps other repositories) would be to install them on as user programs on the AppVM. Not in Templates

For development purposes, I think it’s better to have these installed on the AppVM user space than enabling network access to install packages with pip for example. Also because ideally you don’t run any other programs than the package manager on the TemplateVM.

But I’d like to hear concerns about the security of this approach.

:warning: warning: With any of these methods it’s likely you’ll forget to update software since the auto updater for Qubes will not be able to help you. So you might miss out on important security updates.

Installing Python Packages

Through Package Manager

Debian has quite a lot of packaged python packages, you can find them under the python- name space (apt search python3-)

Through PIP

For example, for pip you can look into virtual environements. What I do is

  1. On Template Qube you install python3-pip and virtualenvwrapper or equivalent

  2. Add the following to the end of ~.bashrc and reopen the terminal

    source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
    
  3. And then on the AppVM you create a profile where you can install python modules that will persist across rebots (they will be installed under ~/.virtualenvs

    mkvirtualenv -p /usr/bin/python3 [project] # [project] is a plceholder
    pip install newspaper # or whatever python modules you want
    

    Then everytime you open a new terminal and want to access that virtual environement you do :stuck_out_tongue:

    workon project
    

    And then a little (project) will show up in the terminal showing you are now on that virtual environment and as such you have access to all the packages installed.

Snap packages

There is a small discussion about this here: Qubes os and cryptocurrency wallets bu

AppImages

I do have a program that I have to install as an AppImage since it’s not available in packaged form. What I do in this case is drop it on the template under /opt/, create a shortcut icon under /usr/share/applications and only start it on the AppVM.

2 Likes

Thank You for reply, :slight_smile: I have one more question.

Maybe I missed something but when I try to install app using dnf/apt in AppVM it won’t persist until next AppVM reboot, will it? (All in all, in my case, they don’t).

There appears question: What I missed / how do I make them persistent?

1 Like

You have to understand that most of the file system in template based
qubes is not persistent. This can have some advantages.
Take a look at https://www.qubes-os.org/doc/templates

There are mechanisms for making some files/directories persistent
across reboots - https://www.qubes-os.org/doc/bind-dirs

As to installing software in templates, it is rarely necessary to give
the template network access. Don’t forget that the template has access
to a proxy via qrexec.
You can specify the proxy:
export https_proxy=127.0.0.1:8082
pip install....

or pip install --proxy=https://127.0.0.1:8082 ....

If you remember that the proxy is there, you will find that many
problems can be solved by searching for “using X behind a proxy”

3 Likes

Yes, both APT and DNF install software by default on the root filesystem, and since AppVMs inherit the root filesystem from the TemplateVM they are based on, then text time you reboot any software you installed through those methods will have disappeared.

However, there is a way to have software persistently installed on an AppVM and this involves installing it on the user’s home. The installation of python software through virtualenvironemnts and PIP I suggested earlier uses this approach so the packages will persist across reboots of the AppVM.

@unman’s approach on the other hand installs PIP packages on the TemplateVM.

1 Like