Fedora CoreOS and Silverblue Templates

huaopeng · May 29, 2022, 7:53pm

Hello,

Would it be possible to explore the idea of having CoreOS and SilverBlue templates? These distros

are designed for containerization and would increase security and flexibility of the current template scene

Becko · June 18, 2022, 6:40pm

They’re rather designed to provide the functionality of transactional updates to a system that runs predominantly containerised user software. I’m curious how you see this as being any flexible and whether people more knowledgable about Qubes see containerisation as bringing anything meaningful security-wise to an already compartmentalised operating system.

deeplow · June 21, 2022, 3:51pm

You can create your own templates. It won’t be easy but here are some links:

github.com

unman/notes/blob/master/Building_New_Templates.md

Here's how to build a Parrot template - you can adapt this to cover just
about *any* case which is based on an existing template.

Parrot, like Kali, is based on Debian testing - so the first thing you
need to do is make sure you can build a bullseye template.

1. Set up the Qubes build environment, as set out here:  
https://www.qubes-os.org/doc/qubes-builder/  
If you want a configured environment there is a salt formula in https://github.com/unman/shaker  

2. In `qubes-builder`, run `./setup`  
Select 4.0  
Stable  
Git Clone Faster  
DO NOT use Pre-build Packages - select OK without having selected an option
Build only the templates  
In the Selection list choose "buster"  
In the Plugins Selection, **deselect** builder-rpm and **select** builder-debian.  
Get-sources - select "Yes"

This file has been truncated. show original

Droplet6200 · December 2, 2023, 9:47pm

Why would creating a qube with Fedora Silverblue require so many steps — can’t an iso file be installed on a qube more simply such as in VirtualBox?

Droplet6200 · December 2, 2023, 9:51pm

Having an immutable OS makes it more difficult for an adversary to escalate privileges within the OS and could help to prevent them from escaping the virtual machine.

deeplow · December 2, 2023, 9:54pm

I think immutable OS’s is one of the changes @demi (from the Qubes team) noted as important as well in her talk from the 2023 Qubes summit (on youtube). But I can imagine there are some implementation challenges that make it hard to implement.

Feel free to watch Demi’s talk. I can recommend.

Droplet6200 · December 2, 2023, 9:59pm

Thanks for sharing! Is this the video? There are several 8 hour 2023 summit videos.

deeplow · December 3, 2023, 9:58am

This is it https://www.youtube.com/watch?v=_UxndcxIngw (I think it’s the same)

It starts at 2h22m.

Droplet6200 · December 26, 2023, 4:47am

It’s actually really interesting! I’m going to go through the whole presentation

ripping_motion · June 6, 2025, 4:25am

(Sorry for the necro)
qubes_builder now has a complete revision in qubes_builder v2, so I don’t think the instructions of that last link work anymore.

I wouldn’t completely assume so, but to install Fedora Silverblue in Qubes, do you just have to change the builder.yml config file from fedora:latest to fedora-silverblue:latest? The last link you included sort of had that type of logic.

ripping_motion · June 8, 2025, 12:55am

Also, the instructions in this PrivSec guide to make a template seem way simpler compared to @unman 's guide. Would all I need to do differently from the PrivSec guide be to copy the vmlinuz and initramfs files from Silverblue releases? If so, where would I find these files?

ripping_motion · June 11, 2025, 9:57pm

If this simplicity still applies when using Qubes builder v2, then making a Silverblue template sounds promising!

Immutable Linux desktop distributions don’t provide any security benefit over typical ones. Secureblue is a security hardened, atomic, Fedora based Linux distro, but its atomicity/immutability is not what makes it more secure than Fedora Workstation.