How to create ready-made system qubes avoiding configuring them manually?

User Support General
1

I really tried to find a manual specially made for this case but couldn’t. Neither here nor in Qubes documents (strange in my opinion). The only thing I found is the manual how to create the sys-usb (again, it’s strange for me why there is no manual for sys-net creation. Not to mention the sys-firewall).
Why I need this. I came across a situation where USB stick almost doesn’t work in the sys-usb based on Debian 13. It worked fine on previous Qubes 4.2 where was Debian 12. After Qubes 4.3 fresh installation it almost doesn’t work. And it has problems now even on the Debian 12 based sys-usb from other Qubes 4.3 that was upgraded in place and where Debian remained on 12 version.
So my decision is to try Fedora based sys-usb. I would stop only on sys-usb creation but I suspect that the single Fedora based sys-usb will not work with other Debian based system qubes so I should create the rest of new, Fedora based system qubes to make it all work.
My logic is that if Qubes can create ready-made system qubes during post-installation phase then it means it can do the same in any time later. There only should be a special command or commands for this. I want to avoid manual configuration of these qubes in order to avoid some misconfiguration so my goal is to find a way to create them ready-made.
I found out how to install Fedora template using Template Manager. Found special command for sys-usb creation. Now I have a few questions about how complete the rest of the tesk.

  1. The command for sys-usb creation looks like this: sudo qubesctl state.sls qvm.sys-usb How will it determine which template to use to create a qube? After all, now there will be two templates on the basis of which system qubes can be created.
  2. Will it be enough just to change the name of the qube in this command to create the rest of ready-made system qubes? For example sudo qubesctl state.sls qvm.sys-firewall. Or will I still need to configure all system qubes manually?
  3. If so, where the instructions on how configure all of them manually?
  4. Should to mention that sys-usb and sys-firewall were disposable. Will that command create them already disposable or I should make them disposable manually?
1 Like
2

Qubes uses salt to provision system qubes. You can find the state files
in /srv/formulas/base/virtual-machines-formula/qvm - root access
required.

If you look at sys-usb.sls you can see how the qube is set up. Also
for sys-firewall.sls, etc. The qubesctl call is referencing a file
not an product

These files use templating, which can be quite confusing, and access
what salt calls a “pillar” - a set of values that are defined
system-wide.

In the sys-usb file you will see that it will be based on the default
template, and this value is got by:

{% set default_template = salt['cmd.shell']('qubes-prefs default-template') %}

If you want to experiment with Salt, you can change the value used here.
If you want I could talk you through the process.

On the last point, in the file you will see this:
{% if salt['pillar.get']('qvm:sys-usb:disposable', false) %}
That is a conditional based on the value of a pillar item - so yes, the
state files will create them as disposable automatically.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

1 Like
3

Ok. Thank you from heart for all help! :handshake: I checked sys-net and there’s written that it will be created as disposable too. Sys-firewall and sys-usb as disposables it’s understandable and OK for me, but I would prefer sys-net to be persistant. Should I change something in sys-net.sls so that it is created persistant by default or after creation I just can change its template from default-dvm to Fedora template so that it becomes persistant app vm?
And there appears another problem because of the default-dvm - it is Debian 13 based. So what should I do with this? Change the default template to Fedora so that default-dvm becomes Fedora based (or set it manually if it won’t) (or delete the Debian based default-dvm and create Fedora based default-dvm) and only then create all system qubes?
And in general, do I really need to create all Fedora based system qubes or if I create only Fedora based sys-usb (changing default-dvm to Fedora based before that), it will be able to work fine with the rest of the system qubes that are based on Debian?

4

Checked sys-usb. Saw the line that it requires sys-net. Does it mean that sys-usb will be created with sys-net as its net-vm? I think it should have no net-vm. It should be offline disposable vm. If I plug in the USB stick I just attach it to sys-net and that’s all. Sys-usb should not provide network by itself.

5

Installed Fedora template, created all Fedora based system qubes and set them to work. It only got worse… :man_facepalming: The stick either constantly appears in storage mode and then immediately disappears or rareley even doesn’t appear initially. Even usb-modeswitch configurations don’t help. I just wasted two days!
Can try also Debian 12 template since the stick showed better work with this OS but soon or later Debian 12 reaches its EOL date so there will be no updates. It’s sad. :tipping_hand_man:
Or maybe the Debian 13 devs will release update that will finally fix this issue and I can return to Debian 13. Though since this problem is even worse on Fedora then it means that there is something wrong with interaction with this stick in all latest Linux distros