So, I have a deb-11-min template following Sven’s guide. And further cloning that template into a template called deb-11-min-net, I have installed the two packages, qubes-core-agent-networking and qubes-core-agent-network-manager, per the first guide above.
Now, how do I actually use this template for sys-net? Do I adjust some NetVM column entries in the Qube Manager? Do I change the “template” entry for the default sys-net qube from debian-11-dvm to my newly created minimal deb-11-min-net template?
I would appreciate the help in connecting the dots on this.
Either approach is good, and both work fine.
Simplest would be to change the sys-net template to the new template. If
something doesn’t work, just shut down and switch the template back.
If you have 2 NICs, then I would allocate one to sys-net, and create
a new sys-net2 using the new template to hold the other NIC. That way,
if you keep the update proxy allocated to sys-net you can add or amend
packages as needed without down time.
After shutting down (killing) the sys-whonix, sys-firewall, and sys-net qubes, I right-clicked the sys-net qube on Qube Manager. Settings: sys-net window opened. In this window, the Template drop down menu offers me only two choices:
debian-11-dvm (current)
whonix-ws-16-dvm
The first one is the default one (it is not the minimal deb-11-min-net template I prepared. The second one is the whonix, I guess. So, the drop down menu doesn’t enable me to pick the deb-11-min-net template,
So, how can I change the sys-net template to the new template?
My use case is to separate WiFi from Ethernet. So logically, I need separate “net” and “firewall” qubes for both kinds of connection. It seems reasonable to name them sys-net-wifi, sys-net-ether, sys-firewall-wifi, and sys-firewall-ether.
But no matter what I try as far as changing names, so that defaults for updates and the like go through sys-firewall-wifi (and sys-net-wifi) something in the system insists that there must be a qube named sys-net and another named sys-firewall. If I run update on some template, a new sys-net will be created on the fly and used.
This was regardless of anything I set on global qubes setting window.
Digging a bit deeper I found a config file that would change things unavailable on the settings window, but I somehow managed to lock myself out of my system (keyboard wouldn’t work on reboot) that way.
I strongly recommend just doing what’s necessary to ensure you have qubes named sys-net and sys-firewall…even if they are based on your templates. (And to make sure those templates are the ones set up to talk to the internet, if you are trying to “split” your system like I did.)
In other words, just make sure sys-net uses your new qube as a template, rather than whatever was installed. (Be ready, of course, to change it back if things don’t work.) Don’t try to rename sys-net (or sys-firewall).
Which disposable template? Are you telling me that I should base debian-11-dvm template (which is the current sys-net template) as the newly created deb-11-min-net ?
I wouldn’t do this, as you may be using that template for disposables
elsewhere, and it may have unforeseen consequences.
Disposables are based on a “disposable template” - that is a standard
template based qube.
You can (though I would not recommend it) change the template for your
debian-11-dvm to your new template. This will affect all disposables.
Or you can create a new qube using the new template, make it a
disposable template, and then use that as the template for your
sys-net. tzwcfq showed you how to do that.
In either case you can, if you want, create a new disposable qube called
“sys-net-minimal” or similar. That’s up to you.
I would rather confine the change to sys-net and not affect other disposables.
However, as I said above in this thread, the Qube Manager UI doesn’t allow me to pick the newly created minimal deb-11-min-net for sys-net template. So how do I get that done?
you have a disposable called sys-net.
This is based on a “disposable template” called debian-11-dvm.
That “disposable template” is a qube which uses a template.
You have created a new template. What you haven’t yet done is create a
new “disposable template”
OK. So it is not enough to create a minimal template for the sys-net, but one also has to create a “Disposable Qube” based on the minimal template, which the sys-net will then use as a Template.
So,
deb-11-min-net → deb-11-min-net-dvm → sys-net
The arrow denotes “Template” relationship with the left hand side is the parent of the right hand side of the arrow.
I did @tzwcfq 's steps. And then changed the sys-net’s template to deb-11-min-net-dvm.
For clarity here is a table of VM relations:
deb-11-min (minimal debian template)
deb-11-min-net (clone of deb-11-min with qubes-core-agent-networkingqubes-core-agent-network-manager packages installed)
deb-11-min-net-dvm (created following tzwcfq’s post above)
So, sys-net has Template as deb-11-min-net-dvm selected on the Qube Manager. I haven’t messed around with sys-firewall, so its Template is still the default debian-11-dvm.
Now after restarting the QubesOS, I no longer have the wifi on system tray visible. So, I am guessing something messed up. How do I get the wifi tray working again?
And now you have discovered the issue with minimal templates - they are
minimal. They are also aimed at “advanced users”: people who are at
home with Linux and Qubes.
The docs make it clear that if a minimal template doesn’t work as the
full one it is almost certainly due to missing packages.
Like many Qubes problems this is not Qubes specific. You could search
any guide to WiFi in Debian, looking for your specific WiFi adapter.
(The only Qubes specific part is that you have to do this in the
template, not in sys-net.)
You haven’t made it clear if you are missing the Network Manager icon, or
whether you are missing WiFi.
I’m assuming the latter.
The first thing to do is to check if you have “wireless tools” installed.
Then if you have the drivers required for your specific WiFi adapter.
If you run journalctl -b and look for warnings/errors relating to
networking/WiFi you should be able to identify the problem.
You will,of course, have to switch to the working sys-net to actually
install any packages in the template. Also, as a minimal template it
does not have passwordless sudo installed - you can open a root terminal
with qvm-run -u root XXX xterm to get root and install packages.
I’ve tried this myself just now and if I create non-disposable sys-net2 based on debian-11-minimal with qubes-core-agent-networkingqubes-core-agent-network-manager packages then the network manager tray icon will appear in tray after sys-net2 start.
But if I create disposable sys-net2 then the tray icon won’t show up.
I’ve created disposable sys-net2 like this:
I would like to say I am not completely newb to Linux. I have been using different distros as my daily drivers for seven years now. I would place myself to intermediate level in being “Linux-proficient.”
I am missing Network Manager icon. Since that is absent, I am not sure whether my sys-net has internet connection or not.
I think you are right in saying I may be missing drivers for my specific WiFi adapter. I do not have the specs of it off-the-top of my head, but I think pointing out that it is the stock wifi adapter that comes with a Thinkpad X220 would suffice.
I am now reminded of firmware-iwlwifi package being mentioned in Sven’s guide I linked in my OP. I will install that package to my deb-11-min-net template and try again.
Btw, do I need to change sys-firewall’s template, too? Or, can it (for now) stay as the default debian-11-dvm?
Okay. I managed to get it working. Here I am writing the step by step instructions:
Install debian-11-minimal template. Clone it into a new template and remove the original downloaded template:
(in dom0) $ qvm-template install debian-11-minimal
(in dom0) $ qvm-clone debian-11-minimal deb11min-net
(in dom0) $ qvm-remove -f debian-11-minimal
Here, deb11min-net template is the one we will modify and use for our network connection needs for sys-net.
Update your whole system (thus update your newly downloaded deb11min-net template):
(in dom0) $ qubesctl --show-output state.sls update.qubes-dom0
(in dom0) $ qubes-dom0-update --clean -y
(in dom0) $ qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
Using apt update and upgrade your deb11min-net template:
(in dom0) $ qvm-run --pass-io -u root deb11min-net "apt update && apt full-upgrade -y"
Now install the necessary packages for network management:
(in dom0) $ qvm-run --pass-io -u root deb11min-net "apt install --no-install-recommends -y firmware-iwlwifi qubes-core-agent-networking qubes-core-agent-network-manager"
Shutdown the internet-connected qubes in order to modify sys-net settings:
(in dom0) $ qvm-shutdown sys-whonix
(in dom0) $ qvm-shutdown sys-firewall
(in dom0) $ qvm-shutdown sys-net
Create a disposable vm out of the deb11min-net template, for acting as yet another template for the sys-net, and then base the sys-net on top of this newly created disposable template:
(in dom0) $ qvm-create --template deb11min-net --label red deb11min-net-dvm
(in dom0) $ qvm-prefs deb11min-net-dvm template_for_dispvms True
(in dom0) $ qvm-features deb11min-net-dvm appmenus-dispvm 1
(in dom0) $ qvm-prefs sys-net template deb11min-net-dvm
Finally, restart your whole QubesOS
(in dom0) $ sudo reboot now
After doing these steps, you should have a working internet connection using your minimal debian template (deb11min-net).
For comparison, here are the number of packages between debian-11 and our deb11min-net:
debian-11: 1332 packages
deb11min-net: 486 packages
This is 3x less packages, yet giving you the same functionality.
Thanks to @tzwcfq , @unman , @Sven and qubes-os documentation for guiding me.
As I understand it, what that line of code does is to cause your disposable template to show in two places on your menu–(I am assuming the standard xfce menu at the upper left–it’s very different in KDE as I found out last night). Up near the top, you get a reference to this dvm, and if you click on it you will get a new disposable virtual machine (i.e. one with a name like disp1234). Scrolling clear down to the bottom the menu item of the same name lets you open the template. You probably don’t want the first one for your network qube, so I don’t think you want this line in your procedure.
(Fortunately, if you decide you agree, you can undo it without repeating the whole process, just re-issue but use “” (two double quotes, no space) in place of the 1.)
Unfortunatly one can not change the template from fedora-36-minimal to fedora-36-minimal-dvm (or maybe fortunatly, as one could kill /home/user/ with that)… so, I followed your guide with modifications for fedora-36-minimal-dvm and added:
qvm-service sys-net2 clocksync on
Why did you
qvm-service sys-net2 meminfo-writer off
and what is this meminfo-writer for anyhow?
PPS: that’s the cli equivalent for “Include in memory balacing” option in the “Advanced”-tab of “Qube Manager” Qube-Settings.
PS: btw, I’m using my new sys-net for wired uplink only, so a disposable is perfectly fine. For wifi I’ve got a sys-wifi which is a non-disposable and has a bunch of <wifiname.nmconnection>s stored in /rw/config/NM-system-connections/.
Store these in its dvm-template’s /rw/config/NM-system-connections/ and you’re good to go with disposable wifi too. I’m even more extreme. I have one dvm-template per connection with only one wifi firmware per dvm template, meaning I’m not connecting to the same wifis with different devices.