Actually you can, and the only command upon this that might be needed to execute in dom0’s terminal is
$ qvm-features <my-dvm-template> appmenus-dispvm 1
Tha’ts confusing. I can set in GUI but I have to use Terminal?
This is one of the many safety Qubes features. I am ex-Windows user too, and started only recently with Qubes and Linux. One of the first things I determined to do is to say goodbye to my conformism in using secure OS, reasonably as Qubes is if I want to digitally survive.
It is advised for different "issues’ and issues always to create separate topics, due to better visibility so other users could find the answer easier.
Acknowledged. Thank you for the course correction.
For those stumbling across this in the future:
Copy to AppVM you are using to post a message on here.
2 Likes
Yes. You can either type both commands in terminal upon creating app qube, or the way I stated: using GUI instead of the first command (because I create qubes (VMs) via GUI Qube Manager, and when I am already there, I just check this option too).
I just wanted to point that it is not correct that you cannot do create disposable template by checking this option. You can, and it’ll work, but if you want to use disposable qubes based on dvm-template (so called dispxxx), you would have to execute the other command in terminal.
Can you elaborate on this please?
I’d like to, but I need to know what isn’t already clear enough?
1 Like
Oh i found it! Thanks! Have not found it when i was searching it a while back so i just used the terminal…
Well, not really. It is in the advanced tab, but i would not say this is advanced stuff but just normal “one usually wants disposable with different netvms” use case scenarios.
So config usually is in the AppVM/DVM-Template. In linux there are multiple locations for configuration.
Some applications have their config in /etc/, which is Template territory, and others have it in ~/.config/ which is AppVM/DVM-Template territory.
I am not aware of an IRC, but there is an unofficial matrix room, and all matrix homeservers (i care about) accept Tor users. You will find it by searching for QubesOS.
You can just create a normal screenshot. This is saved in ~/Pictures/. You can transfer it to any qube with qvm-copy-to-vm <qube> <file>
1 Like
Gotcha. It’s like someone thought this out…
This is exactly the difficult part new qubes user get fed up with.
So Disposable: Your disp1234 machines, that have no persistence.
Those are started internally by launching a copy of your disposable template (for example whonix-ws-16-dvm).
This is usually what one wants to use productively.
The menu items are created with the command @enmus mentioned.
DVM: The AppVM that is the template. Sometimes you want to run the template itseld instead of those volatile childs to set config or whatever for your disp1234 qubes.
They have their own menu entry.
So you have one qube, the disposable template, that created 2 menu entries. One for the disposable, fully volatile childs, and one for running the template itself with ~/ persistence.
Sorry for being so dense. Are you saying that I\ would need to execute the install commands on the DispVM?
Clear as mud. Kidding of course. That’s a total re-wire of my brain. makes a lot of sense tho.
I will explain it with a practical example.
Your whonix disposables.
disp1234 is the actual volatile disposable qube that runs usually your Tor browser and you browse with it.
It is created by launching a copy of whonix-ws-16-dvm. That one is the disposable template. Internally just an AppVM that has the flag the system knows that you want to spawn those disp1234 things out of it, and create the additional menu item for doing so (with the command line unfortunately)
This whonix-ws-16-dvm inherits the main system from its template, whonix-ws-16.
So say you want to do 2 things:
- You want to have
libreofficeinstalled in all your whonix disp1234 qubes. - You want a picure of Stallman in your home directory.
You would have to:
- Launch the template of your disp-template (whonix-ws-16), to install libreoffice there, as it is part of the system.
- Launch the dispVM-template (whonix-ws-16-dvm) and store your stallman picture in the home there
Then you can launch your disposables (disp1234) and find the picture in your home directory, that is inherited from the disposable-template, and the application libre-office, which is inherited from the base template.
If you install your libreoffice in your disposable-template (whonix-ws-16-svm) it will not be persistent, as it is installed outside of ~/.
If you store your stallman picture in the home directory of your base template (whonix-ws-16) it will get overwritten by the home directory of your disposable-template, when you launch your actual disposables (disp1234).
1 Like
No problem. Remember, I know where are your confusion comes from, most probably. I am an ex-Windows user.
I think, as @Suspicious_Actions already told you, disposables are somewhat advanced. and I’d stop here if I were you, because we deal here with the term almost unknown in Windows:
Once you are sure what does this mean in terms of Qubes and Linux, everything will be easier later, especially with disposables.
Yeah this disposbale setup is really radical at first. I think everybody is confused with that at first, but it makes sense when one gets it once 
Better start with thinking about how AppVMs work, and after understanding that, you can simply “add the disposable” mechanism in your mind, by thinking “disposables are just copies of AppVMs that now are called disposable-templates or DVMs” and you get the dvm-template approach.
Think of a disposable as a prepaid SIM. You buy it for one call, and you trash it, and buy another one for the next call. All the time you are using mobile phone’s “dvm-template” infrastructure, but each time you have another SIM number thus being (theoretically) more secure because no additional charges (damage to your computer system) can be done to your account, and if you reset your phone to factory defaults, no traces of using previous SIM card can be evidenced. Your “dvm-template” mobile phone is using your mobile provider’s “template” infrastructure by connecting to it (dvm-template based on a template). What you get by this are automated settings for Wifi, GSM, etc, you know the process.
Does this banal analogy makes sense at all, or it brings additional confusion. Please let me know if so, so I could delete the content of this post. Please apologize if sounds offending, it’s not my intention, but to introduce you as fast as possible to the matter, not knowing your pre-knowledge.
1 Like
Maybe a windows analogy would help.
Assume you have an unlimited supply of HDDs.
So you install windows on one HDD. This is HDD with windows is your Template.
Maybe you know, that on windows you can store your personal files on another Partition that can be on another HDD.
This is your AppVM: You boot of your internal HDD, but you store your Desktop, Download folder and other personal files on an external HDD.
Launching your AppVM would be:
- Copy your template (the windows installation) to a new HDD and boot from it
- Plug in your external HDD, where your Desktop stuff like that is stored.
When you shutdown, you throw away the internal boot HDD, but keep the external HDD with your files to use the next time you boot.
You can create more AppVMs with the same template, by having other external HDDs to plug in. It is like having multiple computers with the same system, but different files.
You can install Software in these AppVMs, but if you restart the AppVM you copy your base template again to boot from, so your installed software would be gone. You would have to install it in this “master system” HDD to have the software in your AppVM.
You can create a disposable-template out of your external disk. Starting disposables form it would work like this:
- Copy your template to a HDD and boot of it
- Copy your external drive to another new one and plug it in.
after you are finished, you throw away both HDDs.
Again, you can install software or modify files in those, but as you throw them away after usage an copy from your templates when starting another disposable, all your changes (and installed software and malware) would be lost.
Maybe this is easier to imagine… maybe not. idk. If it confuses you: Don’t let this confuse you pls.
1 Like
Not sure if this will help but thought i’d drop it.
Welcome to Qubes, stick with it!
2 Likes
KarlinQubes,
This is definitely easy mode. Thank you!
I am trying to learn as I go (lots of rabbit holes). Someone’s script doing it all for me is nice and easy. I’m also interested in the nuts and bolts of it so I can write my own scripts or tweak other people’s scripts.
I see hkbakke has a custom config file for the WireGuard network config. Which subnet/dns should be in there? Does it need to match my net-vpn (based on TemplateVM fedora-34-wireguard) IP/DNS? :EDIT: This is provided by my VPN provider. Sorry for the dumb Q.
I never had confusion on the purpose and usage. That is a good analogy though.
Windows does shit stupid. I’d rather fumble in Linux terminology.
Just to ensure I’m understanding the workflow here:
1.) Clone base template (fedora in this case) called fedora-34-wireguard, install WireGuard, shutdown
2.) Create new Qube
Name and label: net-vpn-narnia
Type: AppVM
Template: fedora-34-wireguard
Networking: default (sys-firewall)
Advanced Tab: Enable ‘Provides network access to other qubes’
3.) Repeat #3 named ‘net-vpn-missing_sock_universe’
4.) Configure Wireguard unique tunnels on each net-vpn-* AppVM, shutdown/restart
5.) Create AppVM named ‘fedora-34-vpn-narnia’ using networking ‘net-vpn-narnia’
6.) Create AppVM named ‘fedora-34-vpn-missing_sock_universe’ using ‘net-vpn-missing_sock_universe’
7.) … so let’s just rest.
Does this still hold true? If I did my 7 steps correctly?
Thanks for this rabbit hole.
Got it all working now. Thank you again everyone!
1 Like