Is there anyway to create a "child template" with a small modifcation from the original template? Or am I using templates wrong?

So here is my situation. I have my standard fedora-34 template which is the template for most of my vm’s. I want to install the nordvpn client into 1 or two vm’s only. I don’t want to add it to the fedora-34 because the system vms don’t need it and I don’t want to be installing unneeded software in them due to the potential security risk.

So of course, I can clone the fedora-34 template and make a fedora-34-nord template for the two vm’s that need it. My problem with this is both templates are now the same size taking up 5gb of space even though fedora-34-nord is really just a slight modification from fedora-34. Of course storage is dirt cheap and this isn’t a real problem.

Still, is there a “docker-like” solution with layers where I can have a child template or just a small layer on top of or added to the fedora-34 template. Ideally hard-connected to the parent fedora-34 template so that when fedora-34 updates, fedora-34-nord updates as well. I don’t think this is possible with qubes currently based on my current knowledge.

Am I using templates wrong or something? Is there a better solution to my problem then creating another full 5gb template just for one small app?

1 Like

You got three options:

  1. Clone fedora template as you described.
    Pro: easy, basic skills required
    Contra: lots of wasted space, now you have two fedora templates that need to be updated quite frequently

  2. Use minimal templates (fedora or debian).
    Pro: much smaller, reduced attack surface, less updates (less installed) and in case of debian also less frequent updates
    Contra: advanced skills required (reading/understanding documentation, install troubleshooting (diagnose dependencies)

  3. Install VPN in qube instead of template (in /home or using bind dirs)
    Pro: no template duplication
    Contra: advanced skills required (understanding which files and configs the VPN requires, where they are located and how to make them persist)

Your choice :slight_smile:

My recommendation: start with 1) and if you’d like work in parallel on 2) or 3) without pressure.

1 Like

I understand the sentiment here. I think the root of the issue here is that the system qubes rely on the fedora-34 template (at least by default), so the temptation is to add no new software to the fedora-34 template due to security and stability concerns.


I’m trying to decide what to do in this regard as well. I want most of the qubes to have LibreOffice, but the sys qubes obviously don’t need that.

Not to sidetrack the conversation, but I would seriously consider switching to a more trustworthy VPN provider (e.g. ProtonVPN, IVPN, Mullvad). I know NordVPN is very popular, and I used it for a few years, but it has serious issues. Here is a list I made a while back:

  1. The iOS app makes connections to Firebase (, which is owned by Google, which is the exact opposite of what you would want a VPN to do. After all, the P in VPN is Private, of which there is nothing private about Google. Interestingly, NordVPN also has an article called “What does google know about me?” They know you use NordVPN!
  2. They used to allow you to log in directly in the desktop client, but they changed that to some bizarre web login with this crazy, phishing-like domain that freaked a lot of people out when they implemented this. I still have no idea why they do this.
  3. Their website has Google trackers in it
  4. Their clients are closed-source AFAIK. For something as simple as a VPN client, there’s no reason to make it closed-source unless you’re trying to hide something (like connections to Google!)
  5. The iPhone app used to sign me out on a very frequent basis despite no changes to my account
  6. There is some potential weirdness with their company structure and questions about who actually owns/controls it and what they may be doing with customer data. I spent too much time reading about this and could never get a clear answer on this.
  7. The Windows client turns on their analytics upon every software update, despite users turning it off after every update… Hopefully they have since changed this, but I observed this on several successive updates.
  8. They create and store extensive log files on your PC. I can’t really comment on how common or benign this is, but I remember being pretty shocked at how detailed these were, as well as how long they went back in time. One also has to wonder what the purpose of this is - if they’re not for the user, who are they for?
  9. I never could figure out what all domains they used for this service., that crazy long domain they use for signing in on the desktop client, they had something called nordvpnforapps or something like that, then they were using How is a user supposed to tell what is legitimate or what may be phishing?

I will never touch another Nord product again.

1 Like

I’m assuming you’re referring to this (Minimal templates | Qubes OS) - is that correct? I like the idea, but I do wonder why something this handy isn’t implemented with the default sys qubes (sys-net, sys-usb).

Why does it matter if sys uses a template that has LibreOffice? Isn’t the VM the specialization, not the template?

Move the nord-vpn concerns onto the off-topic. This forum is mainly for discussing Qubes. I hope you understand.

There’s been extensive coverage of this in the threads on minimal
If the template has LibreOffice then the qube does too, and this means
it has a larger attack surface, in terms of libraries and code.
Some users prefer to use minimal templates for this reason.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

Theoretically, it does not matter. However, the more stuff in the templates that the sys qubes use, the greater the chance that something will go wrong (stability, security, etc.).

Ideally, the sys qubes would only ever use the absolute minimum to perform their functions.

To anyone considering minimal templates, I’d highly recommend developing an organizational system for your templates. You want to be able to keep track of which software you’ve installed in what. The saltstack software that Qubes packages makes this super easy, but of course you have to spend some time learning it.

Even if you just use a text file in dom0 to record your minimal setup and what you add to the minimal clones, that’ll be helpful.


I misunderstood what you want to do, I thought you want to make a copy of the fedora template just to remove libreoffice.

It makes sense to use a minimalistic template for the sys qubes without stuff like the X server.