Juat to say a thank you, it does work but a bit of a challenge for me:
i setup dom0 with 32768 RAM value,as my laptop has 64GbâŠirespective of boot selection yes or no,that value stays if persistent or not. Quite not practical if i chose to use âpersistentâ modeâŠ
Any work around ?
And one more Q (too much Port tonight)⊠how the nech can i identify on which boot mode im running now⊠
!?
Again,appreciated your effort,im much obliged !
You must create templates in varlibqubes (it are created in the vm-pool by default), then you must create appVMs also in varlibqubes. Then the data will not be saved if you have entered all commands correctly.
See this comment Qubes in tmpfs đ€« - #56 by qstateless
If someone wants to experiment with overlayfs, you can use this script as a starting point GitHub - fitu996/overlayRoot.sh: Read-only Root-FS for most linux distributions using overlayfs.
Wow! A more efficient way to run Qubes Live has been proposed on the Whonix forum! Whonix in live mode in Qubes OS! Amnesia and anti-forensics mode - #16 by bigboy - Support - Whonix Forum
Whonix and Kicksecure in Live Mode with OverlayFS in Qubes OS
Qubes in tmpfs 
- #30 by qstateless - Community Guides - Qubes OS Forum - Method of copying to zram is very slow, less secure and has more limitations on memory usage in live mode than OverlayFS. With OverlayFS / filesystem will be read-only and launching in live mode will be very fast. and you will also have more free disk space. The original live mode in Whonix and Kicksecure works on OverlayFS.
Instructions ( do it in dom0):
sudo nano /etc/fstab
Using nano, type a # character in front of the line containing â/dev/mapper/qubes_dom0-swapâ, to comment it out and disable it, like this:
#/dev/mapper/qubes_dom0-swap ...
Press Ctrl + O and Enter
Press Ctrl + X to exit nano editor.
sudo swapoff -a
90overlay-root in /usr/lib/dracut/modules.sudo mkdir /usr/lib/dracut/modules.d/90overlay-rootmodule-setup.sh and overlay-mount.sh in this folder and make it executable.sudo touch /usr/lib/dracut/modules.d/90overlay-root/module-setup.sh
sudo touch /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh
sudo chmod 755 /usr/lib/dracut/modules.d/90overlay-root/module-setup.sh
sudo chmod 755 /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh
module-setup.shsudo nano /usr/lib/dracut/modules.d/90overlay-root/module-setup.sh#!/bin/bash
check() {
# do not add modules if the kernel does not have overlayfs support
[ -d /lib/modules/$kernel/kernel/fs/overlayfs ] || return 1
}
depends() {
# We do not depend on any modules - just some root
return 0
}
# called by dracut
installkernel() {
hostonly='' instmods overlay
}
install() {
inst_hook pre-pivot 10 "$moddir/overlay-mount.sh"
}
Press Ctrl + O and Enter
Press Ctrl + X to exit nano editor.
overlay-mount.shsudo nano /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh#!/bin/sh
# make a read-only nfsroot writeable by using overlayfs
# the nfsroot is already mounted to $NEWROOT
# add the parameter rootovl to the kernel, to activate this feature
. /lib/dracut-lib.sh
if ! getargbool 0 rootovl ; then
return
fi
modprobe overlay
# a little bit tuning
mount -o remount,nolock,noatime $NEWROOT
# Move root
# --move does not always work. Google >mount move "wrong fs"< for
# details
mkdir -p /live/image
mount --bind $NEWROOT /live/image
umount $NEWROOT
# Create tmpfs
mkdir /cow
mount -n -t tmpfs -o mode=0755,size=100% tmpfs /cow
mkdir /cow/work /cow/rw
# Merge both to new Filesystem
mount -t overlay -o noatime,lowerdir=/live/image,upperdir=/cow/rw,workdir=/cow/work,default_permissions overlay $NEWROOT
# Let filesystems survive pivot
mkdir -p $NEWROOT/live/cow
mkdir -p $NEWROOT/live/image
mount --bind /cow/rw $NEWROOT/live/cow
umount /cow
mount --bind /live/image $NEWROOT/live/image
umount /live/image
Press Ctrl + O and Enter
Press Ctrl + X to exit nano editor.
dracut-lib.sh in lib and make it executablesudo touch lib/dracut-lib.sh
sudo chmod 755 lib/dracut-lib.sh
And add this code:
#!/bin/sh
type wait_for_dev > /dev/null 2>&1 || . /lib/dracut-dev-lib.sh
export DRACUT_SYSTEMD
export NEWROOT
if [ -n "$NEWROOT" ]; then
[ -d "$NEWROOT" ] || mkdir -p -m 0755 "$NEWROOT"
fi
# shellcheck disable=SC2153
if [ -z "$PREFIX" ]; then
if ! [ -d /run/initramfs ]; then
mkdir -p -m 0755 /run/initramfs/log
ln -sfn /run/initramfs/log /var/log
fi
[ -d /run/lock ] || mkdir -p -m 0755 /run/lock
[ -d /run/log ] || mkdir -p -m 0755 /run/log
fi
debug_off() {
set +x
}
debug_on() {
[ "$RD_DEBUG" = "yes" ] && set -x
}
# returns OK if $1 contains literal string $2 (and isn't empty)
strstr() {
[ "${1##*"$2"*}" != "$1" ]
}
# returns OK if $1 matches (completely) glob pattern $2
# An empty $1 will not be considered matched, even if $2 is * which technically
# matches; as it would match anything, it's not an interesting case.
strglob() {
[ -n "$1" -a -z "${1##$2}" ]
}
# returns OK if $1 contains (anywhere) a match of glob pattern $2
# An empty $1 will not be considered matched, even if $2 is * which technically
# matches; as it would match anything, it's not an interesting case.
strglobin() {
[ -n "$1" -a -z "${1##*$2*}" ]
}
# returns OK if $1 contains literal string $2 at the beginning, and isn't empty
str_starts() {
[ "${1#"$2"*}" != "$1" ]
}
# returns OK if $1 contains literal string $2 at the end, and isn't empty
str_ends() {
[ "${1%*"$2"}" != "$1" ]
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
printf "%s" "$var"
}
if [ -z "$DRACUT_SYSTEMD" ]; then
warn() {
check_quiet
echo "<28>dracut Warning: $*" > /dev/kmsg
echo "dracut Warning: $*" >&2
}
info() {
check_quiet
echo "<30>dracut: $*" > /dev/kmsg
if [ "$DRACUT_QUIET" != "yes" ]; then
echo "dracut: $*" >&2
fi
}
else
warn() {
echo "Warning: $*" >&2
}
info() {
echo "$*"
}
fi
vwarn() {
while read -r line || [ -n "$line" ]; do
warn "$line"
done
}
vinfo() {
while read -r line || [ -n "$line" ]; do
info "$line"
done
}
killall_proc_mountpoint() {
local _pid
local _killed=0
for _pid in /proc/*; do
_pid=${_pid##/proc/}
case $_pid in
*[!0-9]*) continue ;;
esac
[ -e "/proc/$_pid/exe" ] || continue
[ -e "/proc/$_pid/root" ] || continue
if strstr "$(ls -l -- "/proc/$_pid" "/proc/$_pid/fd" 2> /dev/null)" "$1"; then
kill -9 "$_pid"
_killed=1
fi
done
return $_killed
}
getcmdline() {
local _line
local _i
local CMDLINE_ETC_D
local CMDLINE_ETC
local CMDLINE_PROC
unset _line
if [ -e /etc/cmdline ]; then
while read -r _line || [ -n "$_line" ]; do
CMDLINE_ETC="$CMDLINE_ETC $_line"
done < /etc/cmdline
fi
for _i in /etc/cmdline.d/*.conf; do
[ -e "$_i" ] || continue
while read -r _line || [ -n "$_line" ]; do
CMDLINE_ETC_D="$CMDLINE_ETC_D $_line"
done < "$_i"
done
if [ -e /proc/cmdline ]; then
while read -r _line || [ -n "$_line" ]; do
CMDLINE_PROC="$CMDLINE_PROC $_line"
done < /proc/cmdline
fi
CMDLINE="$CMDLINE_ETC_D $CMDLINE_ETC $CMDLINE_PROC"
printf "%s" "$CMDLINE"
}
getarg() {
debug_off
local _deprecated _newoption
CMDLINE=$(getcmdline)
export CMDLINE
while [ $# -gt 0 ]; do
case $1 in
-d)
_deprecated=1
shift
;;
-y)
if dracut-getarg "$2" > /dev/null; then
if [ "$_deprecated" = "1" ]; then
if [ -n "$_newoption" ]; then
warn "Kernel command line option '$2' is deprecated, use '$_newoption' instead."
else
warn "Option '$2' is deprecated."
fi
fi
echo 1
debug_on
return 0
fi
_deprecated=0
shift 2
;;
-n)
if dracut-getarg "$2" > /dev/null; then
echo 0
if [ "$_deprecated" = "1" ]; then
if [ -n "$_newoption" ]; then
warn "Kernel command line option '$2' is deprecated, use '$_newoption=0' instead."
else
warn "Option '$2' is deprecated."
fi
fi
debug_on
return 1
fi
_deprecated=0
shift 2
;;
*)
if [ -z "$_newoption" ]; then
_newoption="$1"
fi
if dracut-getarg "$1"; then
if [ "$_deprecated" = "1" ]; then
if [ -n "$_newoption" ]; then
warn "Kernel command line option '$1' is deprecated, use '$_newoption' instead."
else
warn "Option '$1' is deprecated."
fi
fi
debug_on
return 0
fi
_deprecated=0
shift
;;
esac
done
debug_on
return 1
}
# getargbool <defaultval> <args...>
# False if "getarg <args...>" returns "0", "no", or "off".
# True if getarg returns any other non-empty string.
# If not found, assumes <defaultval> - usually 0 for false, 1 for true.
# example: getargbool 0 rd.info
# true: rd.info, rd.info=1, rd.info=xxx
# false: rd.info=0, rd.info=off, rd.info not present (default val is 0)
getargbool() {
local _b
unset _b
local _default
_default="$1"
shift
_b=$(getarg "$@") || _b=${_b:-"$_default"}
if [ -n "$_b" ]; then
[ "$_b" = "0" ] && return 1
[ "$_b" = "no" ] && return 1
[ "$_b" = "off" ] && return 1
fi
return 0
}
isdigit() {
case "$1" in
*[!0-9]* | "") return 1 ;;
esac
return 0
}
# getargnum <defaultval> <minval> <maxval> <arg>
# Will echo the arg if it's in range [minval - maxval].
# If it's not set or it's not valid, will set it <defaultval>.
# Note all values are required to be >= 0 here.
# <defaultval> should be with [minval -maxval].
getargnum() {
local _b
unset _b
local _default _min _max
_default="$1"
shift
_min="$1"
shift
_max="$1"
shift
_b=$(getarg "$1") || _b=${_b:-"$_default"}
if [ -n "$_b" ]; then
isdigit "$_b" && _b=$((_b)) \
&& [ $_b -ge "$_min" ] && [ $_b -le "$_max" ] && echo $_b && return
fi
echo "$_default"
}
getargs() {
debug_off
CMDLINE=$(getcmdline)
export CMDLINE
local _val _i _gfound _deprecated
unset _val
unset _gfound
_newoption="$1"
for _i in "$@"; do
if [ "$_i" = "-d" ]; then
_deprecated=1
continue
fi
if _val="$(dracut-getargs "$_i")"; then
if [ "$_deprecated" = "1" ]; then
if [ -n "$_newoption" ]; then
warn "Option '$_i' is deprecated, use '$_newoption' instead."
else
warn "Option $_i is deprecated!"
fi
fi
if [ -n "$_val" ]; then
printf '%s\n' "$_val"
fi
_gfound=1
fi
_deprecated=0
done
if [ -n "$_gfound" ]; then
debug_on
return 0
fi
debug_on
return 1
}
# Prints value of given option. If option is a flag and it's present,
# it just returns 0. Otherwise 1 is returned.
# $1 = options separated by commas
# $2 = option we are interested in
#
# Example:
# $1 = cipher=aes-cbc-essiv:sha256,hash=sha256,verify
# $2 = hash
# Output:
# sha256
getoptcomma() {
local line=",$1,"
local opt="$2"
local tmp
case "${line}" in
*,${opt}=*,*)
tmp="${line#*,${opt}=}"
echo "${tmp%%,*}"
return 0
;;
*,${opt},*) return 0 ;;
esac
return 1
}
# Splits given string 'str' with separator 'sep' into variables 'var1', 'var2',
# 'varN'. If number of fields is less than number of variables, remaining are
# not set. If number of fields is greater than number of variables, the last
# variable takes remaining fields. In short - it acts similary to 'read'.
#
# splitsep sep str var1 var2 varN
#
# example:
# splitsep ':' 'foo:bar:baz' v1 v2
# in result:
# v1='foo', v2='bar:baz'
#
# TODO: ':' inside fields.
splitsep() {
debug_off
local sep="$1"
local str="$2"
shift 2
local tmp
while [ -n "$str" -a "$#" -gt 1 ]; do
tmp="${str%%$sep*}"
eval "$1='${tmp}'"
str="${str#"$tmp"}"
str="${str#$sep}"
shift
done
[ -n "$str" -a -n "$1" ] && eval "$1='$str'"
debug_on
return 0
}
setdebug() {
[ -f /usr/lib/initrd-release ] || return
if [ -z "$RD_DEBUG" ]; then
if [ -e /proc/cmdline ]; then
RD_DEBUG=no
if getargbool 0 rd.debug -d -y rdinitdebug -d -y rdnetdebug; then
RD_DEBUG=yes
[ -n "$BASH" ] \
&& export PS4='${BASH_SOURCE}@${LINENO}(${FUNCNAME[0]-}): '
fi
fi
export RD_DEBUG
fi
debug_on
}
setdebug
source_all() {
local f
local _dir
_dir=$1
shift
[ "$_dir" ] && [ -d "/$_dir" ] || return
for f in "/$_dir"/*.sh; do
if [ -e "$f" ]; then
# shellcheck disable=SC1090
# shellcheck disable=SC2240
. "$f" "$@"
fi
done
}
hookdir=/lib/dracut/hooks
export hookdir
source_hook() {
local _dir
_dir=$1
shift
source_all "/lib/dracut/hooks/$_dir" "$@"
}
check_finished() {
local f
for f in "$hookdir"/initqueue/finished/*.sh; do
[ "$f" = "$hookdir/initqueue/finished/*.sh" ] && return 0
# shellcheck disable=SC1090
{ [ -e "$f" ] && (. "$f"); } || return 1
done
return 0
}
source_conf() {
local f
[ "$1" ] && [ -d "/$1" ] || return
# shellcheck disable=SC1090
for f in "/$1"/*.conf; do [ -e "$f" ] && . "$f"; done
}
die() {
{
echo "<24>dracut: FATAL: $*"
echo "<24>dracut: Refusing to continue"
} > /dev/kmsg
{
echo "warn dracut: FATAL: \"$*\""
echo "warn dracut: Refusing to continue"
} >> $hookdir/emergency/01-die.sh
[ -d /run/initramfs ] || mkdir -p -- /run/initramfs
: > /run/initramfs/.die
if getargbool 0 "rd.shell"; then
emergency_shell
else
source_hook "shutdown-emergency"
fi
if [ -n "$DRACUT_SYSTEMD" ]; then
systemctl --no-block --force halt
fi
exit 1
}
check_quiet() {
if [ -z "$DRACUT_QUIET" ]; then
DRACUT_QUIET="yes"
getargbool 0 rd.info -d -y rdinfo && DRACUT_QUIET="no"
getargbool 0 rd.debug -d -y rdinitdebug && DRACUT_QUIET="no"
getarg quiet || DRACUT_QUIET="yes"
a=$(getarg loglevel=)
[ -n "$a" ] && [ "$a" -ge 28 ] && DRACUT_QUIET="yes"
export DRACUT_QUIET
fi
}
check_occurances() {
# Count the number of times the character $ch occurs in $str
# Return 0 if the count matches the expected number, 1 otherwise
local str="$1"
local ch="$2"
local expected="$3"
local count=0
while [ "${str#*$ch}" != "${str}" ]; do
str="${str#*$ch}"
count=$((count + 1))
done
[ $count -eq "$expected" ]
}
incol2() {
debug_off
local check
local file="$1"
local str="$2"
[ -z "$file" ] && return 1
[ -z "$str" ] && return 1
while read -r _ check _ || [ -n "$check" ]; do
if [ "$check" = "$str" ]; then
debug_on
return 0
fi
done < "$file"
debug_on
return 1
}
udevsettle() {
# shellcheck disable=SC2086
udevadm settle --exit-if-exists=$hookdir/initqueue/work $settle_exit_if_exists
}
udevproperty() {
for i in "$@"; do
udevadm control --property="$i"
done
}
find_mount() {
local dev wanted_dev
wanted_dev="$(readlink -e -q "$1")"
while read -r dev _ || [ -n "$dev" ]; do
[ "$dev" = "$wanted_dev" ] && echo "$dev" && return 0
done < /proc/mounts
return 1
}
# usage: ismounted <mountpoint>
# usage: ismounted /dev/<device>
if command -v findmnt > /dev/null; then
ismounted() {
findmnt "$1" > /dev/null 2>&1
}
else
ismounted() {
if [ -b "$1" ]; then
find_mount "$1" > /dev/null && return 0
return 1
fi
while read -r _ m _ || [ -n "$m" ]; do
[ "$m" = "$1" ] && return 0
done < /proc/mounts
return 1
}
fi
# Create udev rule match for a device with its device name, or the udev property
# ID_FS_UUID or ID_FS_LABEL
#
# example:
# udevmatch LABEL=boot
# prints:
# ENV{ID_FS_LABEL}="boot"
#
# TODO: symlinks
udevmatch() {
case "$1" in
UUID=????????-????-????-????-???????????? | LABEL=* | PARTLABEL=* | PARTUUID=????????-????-????-????-????????????)
printf 'ENV{ID_FS_%s}=="%s"' "${1%%=*}" "${1#*=}"
;;
UUID=*)
printf 'ENV{ID_FS_UUID}=="%s*"' "${1#*=}"
;;
PARTUUID=*)
printf 'ENV{ID_FS_PARTUUID}=="%s*"' "${1#*=}"
;;
/dev/?*) printf -- 'KERNEL=="%s"' "${1#/dev/}" ;;
*) return 255 ;;
esac
}
label_uuid_to_dev() {
local _dev
_dev="${1#block:}"
case "$_dev" in
LABEL=*)
echo "/dev/disk/by-label/$(echo "${_dev#LABEL=}" | sed 's,/,\\x2f,g;s, ,\\x20,g')"
;;
PARTLABEL=*)
echo "/dev/disk/by-partlabel/$(echo "${_dev#PARTLABEL=}" | sed 's,/,\\x2f,g;s, ,\\x20,g')"
;;
UUID=*)
echo "/dev/disk/by-uuid/${_dev#UUID=}"
;;
PARTUUID=*)
echo "/dev/disk/by-partuuid/${_dev#PARTUUID=}"
;;
*)
echo "$_dev"
;;
esac
}
# Prints unique path for potential file inside specified directory. It consists
# of specified directory, prefix and number at the end which is incremented
# until non-existing file is found.
#
# funiq dir prefix
#
# example:
# # ls /mnt
# cdrom0 cdrom1
#
# # funiq /mnt cdrom
# /mnt/cdrom2
funiq() {
local dir="$1"
local prefix="$2"
local i=0
[ -d "${dir}" ] || return 1
while [ -e "${dir}/${prefix}$i" ]; do
i=$((i + 1)) || return 1
done
echo "${dir}/${prefix}$i"
}
# Creates unique directory and prints its path. It's using funiq to generate
# path.
#
# mkuniqdir subdir new_dir_name
mkuniqdir() {
local dir="$1"
local prefix="$2"
local retdir
local retdir_new
[ -d "${dir}" ] || mkdir -m 0755 -p "${dir}" || return 1
retdir=$(funiq "${dir}" "${prefix}") || return 1
until mkdir -m 0755 "${retdir}" 2> /dev/null; do
retdir_new=$(funiq "${dir}" "${prefix}") || return 1
[ "$retdir_new" = "$retdir" ] && return 1
retdir="$retdir_new"
done
echo "${retdir}"
}
# Copy the contents of SRC into DEST, merging the contents of existing
# directories (kinda like rsync, or cpio -p).
# Creates DEST if it doesn't exist. Overwrites files with the same names.
#
# copytree SRC DEST
copytree() {
local src="$1" dest="$2"
[ -d "$src" ] || return 1
mkdir -p "$dest" || return 1
dest=$(readlink -e -q "$dest") || return 1
(
cd "$src" || exit 1
cp -af . -t "$dest"
)
}
# Evaluates command for UUIDs either given as arguments for this function or all
# listed in /dev/disk/by-uuid. UUIDs doesn't have to be fully specified. If
# beginning is given it is expanded to all matching UUIDs. To pass full UUID to
# your command use '$___' as a place holder. Remember to escape '$'!
#
# foreach_uuid_until [ -p prefix ] command UUIDs
#
# prefix - string to put just before $___
# command - command to be evaluated
# UUIDs - list of UUIDs separated by space
#
# The function returns after *first successful evaluation* of the given command
# with status 0. If evaluation fails for every UUID function returns with
# status 1.
#
# Example:
# foreach_uuid_until "mount -U \$___ /mnt; echo OK; umount /mnt" \
# "01234 f512 a235567f-12a3-c123-a1b1-01234567abcb"
foreach_uuid_until() (
cd /dev/disk/by-uuid || return 1
[ "$1" = -p ] && local prefix="$2" && shift 2
local cmd="$1"
shift
local uuids_list="$*"
local uuid
local full_uuid
local ___
[ -n "${cmd}" ] || return 1
for uuid in ${uuids_list:-*}; do
for full_uuid in "${uuid}"*; do
[ -e "${full_uuid}" ] || continue
# shellcheck disable=SC2034
___="${prefix}${full_uuid}"
eval "${cmd}" && return 0
done
done
return 1
)
# Get kernel name for given device. Device may be the name too (then the same
# is returned), a symlink (full path), UUID (prefixed with "UUID=") or label
# (prefixed with "LABEL="). If just a beginning of the UUID is specified or
# even an empty, function prints all device names which UUIDs match - every in
# single line.
#
# NOTICE: The name starts with "/dev/".
#
# Example:
# devnames UUID=123
# May print:
# /dev/dm-1
# /dev/sdb1
# /dev/sdf3
devnames() {
local dev="$1"
local d
local names
case "$dev" in
UUID=*)
# shellcheck disable=SC2016
dev="$(foreach_uuid_until '! blkid -U $___' "${dev#UUID=}")" \
&& return 255
[ -z "$dev" ] && return 255
;;
LABEL=*) dev="$(blkid -L "${dev#LABEL=}")" || return 255 ;;
/dev/?*) ;;
*) return 255 ;;
esac
for d in $dev; do
names="$names
$(readlink -e -q "$d")" || return 255
done
echo "${names#
}"
}
usable_root() {
local _i
[ -d "$1" ] || return 1
for _i in "$1"/usr/lib*/ld-*.so "$1"/lib*/ld-*.so; do
[ -e "$_i" ] && return 0
done
for _i in proc sys dev; do
[ -e "$1"/$_i ] || return 1
done
return 0
}
inst_hook() {
local _hookname _unique _name _job _exe
while [ $# -gt 0 ]; do
case "$1" in
--hook)
_hookname="/$2"
shift
;;
--unique)
_unique="yes"
;;
--name)
_name="$2"
shift
;;
*)
break
;;
esac
shift
done
if [ -z "$_unique" ]; then
_job="${_name}$$"
else
_job="${_name:-$1}"
_job=${_job##*/}
fi
_exe=$1
shift
[ -x "$_exe" ] || _exe=$(command -v "$_exe")
if [ -n "$onetime" ]; then
{
# shellcheck disable=SC2016
echo '[ -e "$_job" ] && rm -f -- "$_job"'
echo "$_exe $*"
} > "/tmp/$$-${_job}.sh"
else
echo "$_exe $*" > "/tmp/$$-${_job}.sh"
fi
mv -f "/tmp/$$-${_job}.sh" "$hookdir/${_hookname}/${_job}.sh"
}
# inst_mount_hook <mountpoint> <prio> <name> <script>
#
# Install a mount hook with priority <prio>,
# which executes <script> as soon as <mountpoint> is mounted.
inst_mount_hook() {
local _prio="$2" _jobname="$3" _script="$4"
local _hookname
_hookname="mount-$(str_replace "$1" '/' '\\x2f')"
[ -d "$hookdir/${_hookname}" ] || mkdir -p "$hookdir/${_hookname}"
inst_hook --hook "$_hookname" --unique --name "${_prio}-${_jobname}" "$_script"
}
# wait_for_mount <mountpoint>
#
# Installs a initqueue-finished script,
# which will cause the main loop only to exit,
# if <mountpoint> is mounted.
wait_for_mount() {
local _name
_name="$(str_replace "$1" '/' '\\x2f')"
printf '. /lib/dracut-lib.sh\nismounted "%s"\n' "$1" \
>> "$hookdir/initqueue/finished/ismounted-${_name}.sh"
{
printf 'ismounted "%s" || ' "$1"
printf 'warn "\"%s\" is not mounted"\n' "$1"
} >> "$hookdir/emergency/90-${_name}.sh"
}
killproc() {
debug_off
local _exe
_exe="$(command -v "$1")"
local _sig=$2
local _i
[ -x "$_exe" ] || return 1
for _i in /proc/[0-9]*; do
[ "$_i" = "/proc/1" ] && continue
if [ -e "$_i"/_exe ] && [ "$_i/_exe" -ef "$_exe" ]; then
kill "$_sig" "${_i##*/}"
fi
done
debug_on
}
need_shutdown() {
: > /run/initramfs/.need_shutdown
}
wait_for_loginit() {
[ "$RD_DEBUG" = "yes" ] || return
[ -e /run/initramfs/loginit.pipe ] || return
debug_off
echo "DRACUT_LOG_END"
exec 0<> /dev/console 1<> /dev/console 2<> /dev/console
# wait for loginit
i=0
while [ $i -lt 10 ]; do
if [ ! -e /run/initramfs/loginit.pipe ]; then
j=$(jobs)
[ -z "$j" ] && break
[ -z "${j##*Running*}" ] || break
fi
sleep 0.1
i=$((i + 1))
done
if [ $i -eq 10 ]; then
kill %1 > /dev/null 2>&1
kill "$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /run/initramfs/loginit.pid)"
fi
setdebug
rm -f -- /run/initramfs/loginit.pipe /run/initramfs/loginit.pid
}
# pidof version for root
if ! command -v pidof > /dev/null 2> /dev/null; then
pidof() {
debug_off
local _cmd
local _exe
local _rl
local _ret=1
local i
_cmd="$1"
if [ -z "$_cmd" ]; then
debug_on
return 1
fi
_exe=$(command -v "$1")
for i in /proc/*/exe; do
[ -e "$i" ] || continue
if [ -n "$_exe" ]; then
[ "$i" -ef "$_exe" ] || continue
else
_rl=$(readlink -f "$i")
[ "${_rl%/$_cmd}" != "$_rl" ] || continue
fi
i=${i%/exe}
echo "${i##/proc/}"
_ret=0
done
debug_on
return $_ret
}
fi
_emergency_shell() {
local _name="$1"
if [ -n "$DRACUT_SYSTEMD" ]; then
: > /.console_lock
echo "PS1=\"$_name:\\\${PWD}# \"" > /etc/profile
systemctl start dracut-emergency.service
rm -f -- /etc/profile
rm -f -- /.console_lock
else
debug_off
source_hook "$hook"
echo
/sbin/rdsosreport
echo 'You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot'
echo 'after mounting them and attach it to a bug report.'
if ! RD_DEBUG='' getargbool 0 rd.debug -d -y rdinitdebug -d -y rdnetdebug; then
echo
echo 'To get more debug information in the report,'
echo 'reboot with "rd.debug" added to the kernel command line.'
fi
echo
echo 'Dropping to debug shell.'
echo
export PS1="$_name:\${PWD}# "
[ -e /.profile ] || : > /.profile
_ctty="$(RD_DEBUG='' getarg rd.ctty=)" && _ctty="/dev/${_ctty##*/}"
if [ -z "$_ctty" ]; then
_ctty=console
while [ -f /sys/class/tty/$_ctty/active ]; do
read -r _ctty < /sys/class/tty/$_ctty/active
_ctty=${_ctty##* } # last one in the list
done
_ctty=/dev/$_ctty
fi
[ -c "$_ctty" ] || _ctty=/dev/tty1
case "$(/usr/bin/setsid --help 2>&1)" in *--ctty*) CTTY="--ctty" ;; esac
setsid $CTTY /bin/sh -i -l 0<> $_ctty 1<> $_ctty 2<> $_ctty
fi
}
emergency_shell() {
local _ctty
set +e
local _rdshell_name="dracut" action="Boot" hook="emergency"
local _emergency_action
if [ "$1" = "-n" ]; then
_rdshell_name=$2
shift 2
elif [ "$1" = "--shutdown" ]; then
_rdshell_name=$2
action="Shutdown"
hook="shutdown-emergency"
shift 2
fi
echo
echo
warn "$*"
echo
_emergency_action=$(getarg rd.emergency)
[ -z "$_emergency_action" ] \
&& [ -e /run/initramfs/.die ] \
&& _emergency_action=halt
if getargbool 1 rd.shell -d -y rdshell || getarg rd.break -d rdbreak; then
_emergency_shell "$_rdshell_name"
else
source_hook "$hook"
warn "$action has failed. To debug this issue add \"rd.shell rd.debug\" to the kernel command line."
[ -z "$_emergency_action" ] && _emergency_action=halt
fi
case "$_emergency_action" in
reboot)
reboot || exit 1
;;
poweroff)
poweroff || exit 1
;;
halt)
halt || exit 1
;;
esac
}
# Retain the values of these variables but ensure that they are unexported
# This is a POSIX-compliant equivalent of bash's "export -n"
export_n() {
local var
local val
for var in "$@"; do
eval val=\$$var
unset $var
[ -n "$val" ] && eval "$var=\"$val\""
done
}
# returns OK if list1 contains all elements of list2, i.e. checks if list2 is a
# sublist of list1. An order and a duplication doesn't matter.
#
# $1 = separator
# $2 = list1
# $3 = list2
# $4 = ignore values, separated by $1
listlist() {
local _sep="$1"
local _list="${_sep}${2}${_sep}"
local _sublist="$3"
[ -n "$4" ] && local _iglist="${_sep}${4}${_sep}"
local IFS="$_sep"
local _v
[ "$_list" = "$_sublist" ] && return 0
for _v in $_sublist; do
if [ -n "$_v" ] && ! ([ -n "$_iglist" ] && strstr "$_iglist" "$_v"); then
strstr "$_list" "$_v" || return 1
fi
done
return 0
}
# returns OK if both lists contain the same values. An order and a duplication
# doesn't matter.
#
# $1 = separator
# $2 = list1
# $3 = list2
# $4 = ignore values, separated by $1
are_lists_eq() {
listlist "$1" "$2" "$3" "$4" && listlist "$1" "$3" "$2" "$4"
}
setmemdebug() {
if [ -z "$DEBUG_MEM_LEVEL" ]; then
DEBUG_MEM_LEVEL=$(getargnum 0 0 5 rd.memdebug)
export DEBUG_MEM_LEVEL
fi
}
setmemdebug
# parameters: func log_level prefix msg [trace_level:trace]...
make_trace_mem() {
local log_level prefix msg msg_printed
local trace trace_level trace_in_higher_levels insert_trace
msg=$1
shift
prefix='[debug_mem]'
log_level=$DEBUG_MEM_LEVEL
if [ -z "$log_level" ] || [ "$log_level" -le 0 ]; then
return
fi
# FIXME? useless echo?
# shellcheck disable=SC2116
msg=$(echo "$msg")
msg_printed=0
while [ $# -gt 0 ]; do
trace=${1%%:*}
trace_level=${trace%%+}
[ "$trace" != "$trace_level" ] && trace_in_higher_levels="yes"
trace=${1##*:}
if [ -z "$trace_level" ]; then
trace_level=0
fi
insert_trace=0
if [ -n "$trace_in_higher_levels" ]; then
if [ "$log_level" -ge "$trace_level" ]; then
insert_trace=1
fi
else
if [ "$log_level" -eq "$trace_level" ]; then
insert_trace=1
fi
fi
if [ $insert_trace -eq 1 ]; then
if [ $msg_printed -eq 0 ]; then
echo "$prefix $msg"
msg_printed=1
fi
show_memstats "$trace"
fi
shift
done
}
# parameters: type
show_memstats() {
case $1 in
shortmem)
while read -r line || [ -n "$line" ]; do
str_starts "$line" "MemFree" \
|| str_starts "$line" "Cached" \
|| str_starts "$line" "Slab" \
|| continue
echo "$line"
done < /proc/meminfo
;;
mem)
cat /proc/meminfo
;;
slab)
cat /proc/slabinfo
;;
iomem)
cat /proc/iomem
;;
esac
}
remove_hostonly_files() {
rm -fr /etc/cmdline /etc/cmdline.d/*.conf "$hookdir/initqueue/finished"
if [ -f /lib/dracut/hostonly-files ]; then
while read -r line || [ -n "$line" ]; do
[ -e "$line" ] || [ -h "$line" ] || continue
rm -f "$line"
done < /lib/dracut/hostonly-files
fi
}
# parameter: kernel_module [filesystem_name]
# returns OK if kernel_module is loaded
# modprobe fails if /lib/modules is not available (--no-kernel use case)
load_fstype() {
strstr "$(cat /proc/filesystems)" "${2:-$1}" || modprobe "$1"
}
dracutsudo dracut --force/etc/default/grubsudo nano /etc/default/grubrootovl to GRUB_CMDLINE_LINUX, then change dom0_mem=max: and add 90% of your available RAM (you can find this info with command xl info | grep total_memory in terminal). For example, if you have 15 GB of available RAM, write dom0_mem=max:13312 (if you have 64 GB of RAM, you can write dom0_mem=max:59392).grubsudo grub2-mkconfig -o /boot/grub2/grub.cfgYou will now always launch dom0 in live mode!
Next, copy Whonix and Kicksecure templates and select varlibqubes in the advanced settings. Then create new AppVMs based on the varlibqubes templates and also select varlibqubes in the advanced settings.
Templates in vm-pool will be in persistent mode (but metadata from dom0 will be deleted, so if you create a new qube in vm-pool in live mode, it will not be saved after rebooting).
To launch persistent mode for dom0 and perform updates or install new programs, do the following:
E in grub menu and remove rootovl, then press F10. This will launch a persistent session for one time.rootovl in /etc/default/grub and update grub in persistent mode.A little misleading, because in dom0 free -h will only show the memory currently allocated to dom0, not the whole installed memory!
The correct way to find this information is:
[user@dom0] xl info | grep total_memory
Or⊠the user probably knows how much memory the system has (or can find out in the BIOS screen).
You are right
It works! I just checked it. Itâs fantastic. Now we have 2 amnesic Qubes:
ZRAM Live Mode
OverlayFS Live Mode
It can be used simultaneously - either loading the first version or version with overlayfs.
Can we add this option to the first versionâs prompt? Something like âEnter Boot option: ZRAM (z), OverlayFS (o) or Persistent (r)â
Please write an instruction for running it in btrfs. Overlayfs work by default in btrfs, but require too much RAM. I canât get it to run in btrfs and I donât quite understand what needs to be done. I replaced mount /dev/mapper/qubes_dom0-root with my /, but that didnât help
Hello everyone. Did anybody test working it on 4.3 Qubes is or not?
I think so, yes. Both methods are based on dracut, and there havenât been any changes to dracut.
This root snapshot is not related to the session in an AppVM. It is stored in dom0 and cannot be preserved in live mode. For example, you can create an AppVM in varlibqubes, but run it only in a dom0 live - then you wonât see the vm-root-snap device when you run lsblk
Bash theme for dom0 that show dom0 mode - persistent (/dev/mapper/qubes_dom0-root) or live ram mode (/dev/zram0 or overlay)
Add this code into .bashrc instead of the default code:
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific environment
if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]]
then
PATH="$HOME/.local/bin:$HOME/bin:$PATH"
fi
export PATH
###########################
export VIRTUAL_ENV_DISABLE_PROMPT=true
__qubes_update_prompt_data() {
local RETVAL=$?
__qubes_venv=''
[[ -n "$VIRTUAL_ENV" ]] && __qubes_venv=$(basename "$VIRTUAL_ENV")
__qubes_git=''
__qubes_git_color=$(tput setaf 10) # clean
local git_branch=$(git --no-optional-locks rev-parse --abbrev-ref HEAD 2> /dev/null)
if [[ -n "$git_branch" ]]; then
local git_status=$(git --no-optional-locks status --porcelain 2> /dev/null | tail -n 1)
[[ -n "$git_status" ]] && __qubes_git_color=$(tput setaf 11) # dirty
__qubes_git="âč${git_branch}âș"
fi
__qubes_prompt_symbol_color=$(tput sgr0)
[[ "$RETVAL" -ne 0 ]] && __qubes_prompt_symbol_color=$(tput setaf 1)
return $RETVAL # to preserve retcode
}
if [[ -n "$git_branch" ]]; then
PROMPT_COMMAND="$PROMPT_COMMAND; __qubes_update_prompt_data"
else
PROMPT_COMMAND="__qubes_update_prompt_data"
fi
PS1=''
PS1+='\[$(tput setaf 7)\]$(echo -ne $__qubes_venv)\[$(tput sgr0)\]'
PS1+='\[$(tput setaf 14)\]\u'
PS1+='\[$(tput setaf 15)\] đ '
PS1+='\[$(tput setaf 9)\]\h'
PS1+=" $(findmnt -n -o SOURCE /)"
PS1+='\[$(tput setaf 15)\]:'
PS1+='\[$(tput setaf 7)\]\w '
PS1+='\[$(echo -ne $__qubes_git_color)\]$(echo -ne $__qubes_git)\[$(tput sgr0)\] '
PS1+='\[$(tput setaf 8)\]\[$([[ -n "$QUBES_THEME_SHOW_TIME" ]] && echo -n "[\t]")\]\[$(tput sgr0)\]'
PS1+='\[$(tput sgr0)\]\n'
PS1+='\[$(echo -ne $__qubes_prompt_symbol_color)\]\$\[$(tput sgr0)\] '
Both live modes will not work if it is implemented in R5.0.
Need to create a new pool in dom0 or switch to btrfs
Hi @linuxuser1
Thank you for tracking the different ways of running amnesic Qubes.
A question: how would someone set up Whonix (especially, the NetVM, sys-whonix) to run on an ephemeral RAM-based qube on either approach (the OverlayFS method or the ZRAM method)?
Would I need to reinstall the Whonix templates and use the varlibqubes template pool during reinstallation somehow? Can I do it on the fly in case I already have Qubes with Whonix preinstalled? I am new to QubesOS
I am aware there are downsides to this; one being that the Tor entry guards arenât persisted and thus youâre more susceptible to correlation attacks; but ignoring this, how would someone achieve this?
Thanks
Hi. Clone sysâwhonix and the Whonix appVMs into the varlibqubes pool. Then start Qubes, for example, using zram . Make sure to specify the cloned sysâwhonix in the update settings; otherwise Whonix wonât be able to update. You donât need to touch the Whonix templatesâmy research shows that templates can reside in the VM pool without affecting the forensic threat.
Thanks @linuxuser1 !
Another question: I am facing this âissueâ Really disposable (RAM based) qubes - #218 by emacs84 and I think you went through the same Trim in templateVMs (though, in my case, I donât mind if templates use the vmpool, only AppVMs should use varlibqubes)? I am not knowledgeable enough to know if either the ZRAM or OverlayFS approach would result in the same scenario here.
Did you ever find a way to make TRIMs possible when using varlibqubes and thus the pools donât grow indefinitely? Or to use a different driver other than file?
Thanks
#!/bin/sh
# make a read-only nfsroot writeable by using overlayfs
# the nfsroot is already mounted to $NEWROOT
read line
case "${line:-Nn}" in
[Tt]* )
. /lib/dracut-lib.sh
modprobe overlay
# a little bit tuning
mount -o remount,nolock,noatime $NEWROOT
# Move root
# --move does not always work. Google >mount move "wrong fs"< for
# details
mkdir -p /live/image
mount --bind $NEWROOT /live/image
umount $NEWROOT
# Create tmpfs
mkdir /cow
mount -n -t tmpfs -o mode=0755,size=100% tmpfs /cow
mkdir /cow/work /cow/rw
# Merge both to new Filesystem
mount -t overlay -o noatime,lowerdir=/live/image,upperdir=/cow/rw,workdir=/cow/work,default_permissions overlay $NEWROOT
# Let filesystems survive pivot
mkdir -p $NEWROOT/live/cow
mkdir -p $NEWROOT/live/image
mount --bind /cow/rw $NEWROOT/live/cow
umount /cow
mount --bind /live/image $NEWROOT/live/image
umount /live/image
;;
[Zz]* )
mkdir /mnt
umount /sysroot
mount /dev/mapper/qubes_dom0-root /mnt
modprobe zram
echo 62G > /sys/block/zram0/disksize
/mnt/usr/sbin/mkfs.ext2 /dev/zram0
mount /dev/zram0 /sysroot
cp -a /mnt/* /sysroot
exit 0
;;
[Ss]* )
exit 0
;;
* )
exit 1
;;
esac
tmpfs and zram0 in dracut menu