I’ve just created a standalone minimal Debian qube, Printer. The clever ones among you will recognize that the qube is for a printer, (EDIT) which will be non-networked - I’ve downloaded (in another qube) and copied Brother’s drivers to the new qube.
However, the minimal doesn’t have CUPS, which the driver needs. (EDIT) I’ve hooked it up to sys-firewall. I’ve tried to install from sudo apt install cups and also sudo apt update && sudo apt upgrade (by dom0: qvm-run -u root Printer xterm), but I keep running into an inability to connect to the network, e.g. ping 8.8.8.8 doesn’t work.
I’ve tried sys-firewall and a sys-vpn as net-vms, but it isn’t working.
Is there there something special about minimal templates that I am not getting?
The following list provides an overview of which packages are needed for which purpose. As usual, the required packages are to be installed in the running template with the following command (replace packages with a space-delimited list of packages to be installed):
I’m out of my depth immediately. What I understand from that is that is its allowing a ‘tunnel’ through a proxy to access servers for the update. Like template updates.
What I don’t understand there is how to figure out what is running the proxy. Is that sys-firewall?
If you enable updates using proxy for your qube then it’ll use the updatevm that you choose for downloading updates.
For example, if you use sys-firewall for updating your templates and you want to use it for your standalone updates then you need to:
Add and enable updates-proxy-setup service in your standalone qube Settings → Services tab.
Add the qrexec policy to enable using sys-firewall as Updates Proxy for your standalone qube. For this open Q → gear icon → Qubes Tools → Qubes Policy Editor → menu File → Open → 30-user
Add this line at the end of this file and press “Save Changes”:
Maybe you’ve made an error in policy syntax?
Remove/comment out the line that you’ve added and try to open Qubes Update tool again.
If it won’t help then try to reboot.
I’ve tested this on my system and I didn’t have this issue.
I don’t know what that was. Syntax was fine. I had to shutdown anyway a few hours ago and the Updater dialog is now working fine again.
However, the update for the new qube doesn’t work:
Updating Printer
Refreshing package info
Ign:1 https://deb.debian.org/debian bookworm InRelease
Ign:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
Ign:3 https://deb.debian.org/debian-security bookworm-security InRelease
Ign:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
Ign:1 https://deb.debian.org/debian bookworm InRelease
Ign:3 https://deb.debian.org/debian-security bookworm-security InRelease
Ign:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
Ign:1 https://deb.debian.org/debian bookworm InRelease
Ign:3 https://deb.debian.org/debian-security bookworm-security InRelease
Err:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: >
Err:1 https://deb.debian.org/debian bookworm InRelease
Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: >
Err:3 https://deb.debian.org/debian-security bookworm-security InRelease
Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: >
Reading package lists...
E: Failed to fetch https://deb.debian.org/debian/dists/bookworm/InRelease Read>
E: Failed to fetch https://deb.debian.org/debian-security/dists/bookworm-securi>
E: Failed to fetch https://deb.qubes-os.org/r4.2/vm/dists/bookworm/InRelease R>
E: Some index files failed to download. They have been ignored, or old ones use>
This suggests that… What, exactly? The proxy is working but its just not reaching the servers? The qube has been added to the Qubes Updater machinery, but still can’t negotiate a network connection? Its pretty much exactly the same error I received when working on the commandline.
Do I need to load the networking package just to get any connectivity at all in a minimal qube?
Looks like I’m not the only one having issues, but I don’t like their solution for this. Also a not-very-informative reddit post on debian-11-minimal - “some” unspecified packages missing.
It works for me in standalone created from default debian-12-minimal without installing any additional packages.
Maybe there is an error in the policy that you’ve added.
You can use GUI to add this policy instead.
Remove the policy that you’ve added.
Open Q → gear icon → Qubes Tools → Qubes Global Config → Updates tab → in “Update proxy” block add policy for your qube in “With the following exceptions”.
Did you add updates-proxy-setup service in your standalone qube Settings → Services tab? Do you have any other services there?
The Policy Editor will not let me delete the policy text and save the file.
I can’t find where 30-user - as a file - is kept, so I can’t delete it.
I don’t think there is an error: qubes.UpdatesProxy * Printer @default allow target=sys-firewall
The Editor won’t let you save if there is an error, actually. It has a checking function.
Experimenting with Global Config>Updates, it froze then either crashed, or belatedly reacted to my click on “OK” with latency, not sure.
Anyway, using the GUI, changing/creating an exception for the Printer qube to use sys-firewall and then sys-net. Both fault out when I try to run Updater.
I’m just going to trash it. I don’t understand, but its not essential - I can use a full debian template.
Does it show some error?
Or is “Save Changes” button inactive after editing the text in the window?
It’s in dom0 /etc/qubes/policy.d/30-user.policy.
Maybe you’ve changed the default configuration for your Printer qube somewhere else?
Try to create new test Standalone from debian-12-minimal and enable updates using proxy there.
If I edit it and its not in the right format (e.g. I haven’t tabbed across enough between column entries), it greys out (and maybe throws an error message, not sure).
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
Unit qubes-updates-proxy-forwarder.socket could not be found
I don’t know how to check this. I always assumed its sys-firewall, but that’s because I am used to the messages I used to get on 4.1, which I think stated it explicitly.
When I look at the default setting in Global Config → updates, its set as sys-net. I am a little surprised at that - I haven’t been in there before now. I am now uncertain if I have accidentally changed this, or if that is due to something else.
What are the security implications of updates happening via sys-net?
(And as always, the niggling worry, “have I been hacked”?)
That’s expected, but if you remove the whole policy line then the file should still be in the correct format. So I’m not sure what was happening for you.
It seems that updates proxy is not running in your test qube.
Are you sure that you’ve added and enabled the updates-proxy-setup service for test qube?
Can you open test qube Settings → Services and confirm that updates-proxy-setup line is present in the field along with qubes-updates-check and tou see the check mark to te left of updates-proxy-setup?
I think the default is sys-net.
Try to configure the test qube to update over sys-net instead of sys-firewall in Qubes OS Global Config.
If you don’t need to configure firewall rules for updates then you can use sys-net as updatevm.
If you want to use sys-firewall as your updatevm you need to add qubes-updates-proxy service to your sys-firewall qube.
That’s strange, the service should exist.
What template are you using for test qube?
I’d suggest for you to install the fresh debian-12-minimal template from repository and try with it.