I got an update suggestion. On ArchWiki it is stated that this is the usual place to host user systemd unit files:
~/.config/systemd/user/ where the user puts their own units.
Therefore I decided to put mine there. It avoids the need for root (or sudo?) to own it. In such a setup, systemd already “knows” that the file is to be run as user. Therefore, the User and Group parameters become superfluous. In fact, I discovered the hard way they just confuse it. Of course, it means that the cp command in rc.local should be modified to this:
At the very least it helped me. The following two commands, and searching the errors on the web, helped me discover issues (including the one I mentioned):
systemctl -- user status monerod
journalctl --boot --user -f -u monerod
I have trouble mining with this setup. I launch the mining daemon through the wallet with this command: start_mining 1 true true. It launches one mining thread, tells it to background-mine, and tells it to not query battery statues (which it can’t do anyway). After an hour, the log shows this message:
…[P2P9] WARNING global src/p2p/net_node.inl:2093 No incoming connections - check firewalls/routers allow port 18080
How do I solve it? Do I need to forward the port in some way?
Edit: Also, when I installed qubes 4.1 I set sys-net as a static disposable VM. I thought it may be worth mentioning.
This needs to be updated for Whonix 17 on Qubes 4.2
I had this setup working on whonix 15-16, but it is not working on Whonix 17. I want to try your solution here of using qvm-connect-tcp, however Whonix 17 no longer uses /etc/qubes-rpc/policy, so where would you setup the qubes.ConnectTCP info? In /etc/qubes/policy.d/ somewhere? It seems 30-user.policy is the only place you are supposed to edit there.
Qubes 4.2 is based on the new policy system. Now you must explicitly write the qrexec policy name you want to use in a policy file. For example, you could have a file here /etc/qubes/policy.d/30-user.policy with:
Thanks! I added that and my connection worked immediately. To summarize, with Qubes 4.2 and Whonix 17 @MrA’s post should work, with the following changes @DVM gives above.
OLD Step 4 (in dom0)
NEW Step 4 (in dom0)
Edit the policy file: sudo nano /etc/qubes/policy.d/30-user.policy
Add the following line: qubes.ConnectTCP +18081 monero-wallet @default allow target=monerod
I had hopes I’d be saving myself some time, so I got around to upgrading a box to 4.2 using backups of monerod and wallet VMs moved to Whonix 17 on restore. However, despite the policy edit in dom0, monerod doesn’t want to fly. Did you use a backup for yours? @scallyob
journalctl tells me it doesn’t have /usr/bin/monerod to play with. (Guessing …) Does the edit also require a change to /qubes-rpc/user.monerod?
I did an install in place from 4.1 to 4.2, then installed Whonix 17 template, made a modified one to work with my monero AppVMs and then switched that to be the template for them.
Whonix does not come with monerod installed so you do need to install it. The Whonix docs have you use flatpak, but I just manually download it from the monero project and copy the executables I need to /usr/bin/
Other posters in this thread (a few posts above) have different directives in their policy files, including, qubes.ConnectTCP and @default directives. While your example doesn’t have those? Why? What’s the difference?
Isn’t using the existing qubes.ConnectTCP better (“more secure”) in this case? It seems like qubes.ConnectTCP limit the capability to sharing just a single tcp port, while defining user.monerod seems like allowing “everything” between the target and source qubes.
Okay so I am trying to understand this whole thing. I have been reading the qubes os documentation as well as whonix guide and the protonmail-bridge guide you’ve linked. It seems like main the cause for complexity is that I need to setup policy files, startup command files, in dom0 AND the AppVM’s.
The policy file in the dom0 will be stored in /etc/qubes/policy.d/30-user.policy file and will contain, what? – I guess something about qubes.ConnectTCP?
there will be another qubes-rpc stuff inside monerod-ws qube, which will be stored in /rw/usrlocal/etc/qubes-rpc/user.monerod file and will contain some socat command.
there will be a command line command defined in monero-wallet-ws qube inside the /rw/config/rc.local/ file which will contain socat TCP-LISTEN[...] command
another cause for confusion is, the terms “service name” and “policy”. What is “service name” in this context?
Policies are defined in lines with the following format: