Qubes-iptables and qubes-firewall services execution internals in proxyVM

General Discussion
,
1

I would like to understand the Qubes services internal with the example of qubes-iptables and qubes-firewall that are enabled in a proxyVM.
I understood this is linked to the systemd behaviour, but struggle to go a bit deeper.

First thing: as there is no qubes-firewall and qubes-iptables files in the /var/lib/qubes-services, I understand I cannot manipulate theses service with the qvm-service cmdline. However, I also noticed that there is a ‘cups’ file in this directory, but qvm-service -l PROXYVM does return an empty line. I would have expected that all files in /var/lib/qubes-services would return onea dedicated line to this command, but this is not the case. Am I missing something here?

Then, going back to my two services qubes-iptables and qubes-firewall: what are the exact execution steps that are followed to execute in the end these two services in the proxyVM?

Let’s say I want to disable them from the associated template VM, what would be the good way?

Many thanks :slight_smile:

2

I don’t have the directory /var/lib/qubes-services in 4.2 (I don’t know if I had one in 4.1…)

You can use qvm-service, the directory is /var/run/qubes-service/.
https://www.qubes-os.org/doc/qubes-service/

[user@sys-firewall-dvm ~]$ ll /var/run/qubes-service
total 0
-rw-r--r-- 1 root root 0 Nov  6 15:24 qubes-firewall
-rw-r--r-- 1 root root 0 Nov  6 15:24 qubes-network
-rw-r--r-- 1 root root 0 Nov  6 15:24 qubes-update-check

This is the wrong directory for qvm-service.
But, the info of qvm-service can show empty line even if some services are enabled.
If there are not listed, they follow the default settings.
see man qvm-service in dom0.
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-service.html

Some related issue:
https://github.com/QubesOS/qubes-issues/issues/3948
https://github.com/QubesOS/qubes-issues/issues/4480

I think the documentation link in the beginning of my post answer these both questions.
systemd for the first one.
qvm-service for the second.

3

Many thanks for your answer.
Indeed, I made a typo in my first message: I wanted to write /var/run/qubes-services (not /var/lib/, very sorry for the misunderstanding, and your explanations helped me

1 Like