Following an older post from Joanna https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ that I invite you to read first in order to understand what is an
AdminVM, in this little post I want to give you some hints on how to create an
AdminVM as you would expect it to manage/create/delete VMs as if you would do usual actions in dom0.
- In the template that you will use to create the VM, ensure to have installed
qubes-core-admin-client. This packages installs most of the
- Create an AppVM called for example
windows-mgmt(yes I’m using a current topic on the forum ). Customize it as your convenience. For example, in case of Windows VM topics, give it
40GiBas private volume.
- In R4.1, RPC policies are now located in
/etc/qubes/policy.d/with still legacy support. In order to “declare” your previously created
AdminVM, you need to add a set of policies in three different files:
admin.vm.Create.StandaloneVM * windows-mgmt dom0 allow admin.vm.Create.TemplateVM * windows-mgmt dom0 allow admin.vm.Create.AppVM * windows-mgmt dom0 allow admin.vm.Remove * windows-mgmt @tag:created-by-windows-mgmt allow target=dom0 qubes.Filecopy * windows-mgmt @tag:created-by-windows-mgmt allow qubes.WaitForSession * windows-mgmt @tag:created-by-windows-mgmt allow qubes.VMShell * windows-mgmt @tag:created-by-windows-mgmt allow
windows-mgmt @tag:created-by-windows-mgmt allow target=dom0 windows-mgmt windows-mgmt allow target=dom0
windows-mgmt @adminvm allow target=dom0 windows-mgmt @tag:created-by-windows-mgmt allow target=dom0 windows-mgmt windows-mgmt allow target=dom0
Please note in the above the policy suffix number
30 is arbitrary but must be less than
35 due to inclusion of legacy RPC rules on higher number. Also, there is a specific pattern in the tags
created-by-* which is used internally to determine which
AdminVM other than
dom0 has created it. The set of policies can be restricted for example to not allowing to create
TemplateVM but also can be extended to other RPC if needed. This is a bare reasonable set of RPC policies to do daily stuff or even to create Windows VM in the refactoring (not finished yet due to: Testing Windows and QWT in R4.1) I’m doing: https://github.com/fepitre/qvm-create-windows-qube. With this newly created
AppVM you are safe to perform destructive/creative/risky operations like testing script such as
windows-mgmt cannot do such on your previously created VMs with dom0 or any other
Last remark, this is also valid with Qubes R4.0. Only the policy file
/etc/qubes/policy.d/30-windows-mgmt.policy would have to be split in each corresponding RPC
/etc/qubes-rpc/policy/ with R4.0 syntax.
That’s all! Have fun in tuning your Qubes!
PS: Thank you @marmarek to have checked the above RPC