How to create an AdminVM in R4.1?

Following an older post from Joanna https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ that I invite you to read first in order to understand what is an AdminVM, in this little post I want to give you some hints on how to create an AdminVM as you would expect it to manage/create/delete VMs as if you would do usual actions in dom0.

  1. In the template that you will use to create the VM, ensure to have installed qubes-core-admin-client. This packages installs most of the qvm-* tools.
  2. Create an AppVM called for example windows-mgmt (yes I’m using a current topic on the forum :slight_smile:). Customize it as your convenience. For example, in case of Windows VM topics, give it 40GiB as private volume.
  3. In R4.1, RPC policies are now located in /etc/qubes/policy.d/ with still legacy support. In order to “declare” your previously created AppVM as an AdminVM, you need to add a set of policies in three different files:

/etc/qubes/policy.d/30-windows-mgmt.policy:

admin.vm.Create.StandaloneVM * windows-mgmt dom0 allow
admin.vm.Create.TemplateVM * windows-mgmt dom0 allow
admin.vm.Create.AppVM * windows-mgmt dom0 allow
admin.vm.Remove * windows-mgmt @tag:created-by-windows-mgmt allow target=dom0
qubes.Filecopy * windows-mgmt @tag:created-by-windows-mgmt allow
qubes.WaitForSession * windows-mgmt @tag:created-by-windows-mgmt allow
qubes.VMShell * windows-mgmt @tag:created-by-windows-mgmt allow

/etc/qubes/policy.d/include/admin-local-rwx:

windows-mgmt @tag:created-by-windows-mgmt allow target=dom0
windows-mgmt windows-mgmt allow target=dom0

/etc/qubes/policy.d/include/admin-global-ro:

windows-mgmt @adminvm allow target=dom0
windows-mgmt @tag:created-by-windows-mgmt allow target=dom0
windows-mgmt windows-mgmt allow target=dom0

Please note in the above the policy suffix number 30 is arbitrary but must be less than 35 due to inclusion of legacy RPC rules on higher number. Also, there is a specific pattern in the tags created-by-* which is used internally to determine which AdminVM other than dom0 has created it. The set of policies can be restricted for example to not allowing to create TemplateVM but also can be extended to other RPC if needed. This is a bare reasonable set of RPC policies to do daily stuff or even to create Windows VM in the refactoring (not finished yet due to: Testing Windows and QWT in R4.1) I’m doing: https://github.com/fepitre/qvm-create-windows-qube. With this newly created AppVM you are safe to perform destructive/creative/risky operations like testing script such as qvm-create-windows-qube because windows-mgmt cannot do such on your previously created VMs with dom0 or any other AppVM ;).

Last remark, this is also valid with Qubes R4.0. Only the policy file /etc/qubes/policy.d/30-windows-mgmt.policy would have to be split in each corresponding RPC /etc/qubes-rpc/policy/ with R4.0 syntax.

That’s all! Have fun in tuning your Qubes!

PS: Thank you @marmarek to have checked the above RPC :smiley:

2 Likes

Please this is offtopic and also I’ve not finished to track every fixes to be done while I’m refactoring stuff. Please use the corresponding thread: https://forum.qubes-os.org/t/r4-1-qvm-create-windows-qube