Might as well ask it, since I can see suggestions for options during Qubes OS install in quite a few other threads here, and it would be a good thing to have them all in one place.
What sort of automated setup options would you like to see in the Qubes OS install/initial boot?
My brainstorm list: (in no particular order, not taking into consideration their complexity, feasibility or practicality)
Installation of boot partition on external block device (USB stick, SD card, etc.)
Network boot in initramfs
Dropbear (or other method) instance to allow remote entering of LUKS password, remote wipe, and other similar functions
Importing/installation of any certificates/keys (SSH, VPN, etc.) during install
Creation of additional VM pools on other block devices (eg. Plug in a USB stick and Qubes OS prompts for LUKS password, and then auto loads the thin pool on it)
Option to install qubes-remote-support packages
More will come when I think of them
You never know, maybe your suggestion might be an awesome one and get implemented in the standard install
Can I add pluggable Dom0 distro? I’d for once would like a very minimalistic system for Dom0, streamlined to the bare bones. Perhaps the GUI qube will align on this direction and eliminate X from Dom0? Or just give users a couple of Dom0 options like Debian-minimal, for example?
Well, the security should be embedded on a hardening package, not spread over the overall distribution. Think of it as a qubes-dom0-hardening. There could be one .rpm and one .deb, with the specific hardening included. And, if they are too paranoid, there could be a way to test it too (think along the lines of the CIS-CAT tool from the Center for Internet Security).
Of course this is a lot of work, so it may never get done.
I would be happy just to have a checkbox during the auto partitioning. When installing I don’t necessarilly know all the recommended partitioning parameters off the top of my head, and if I select the automatic partitioning I can not also select btrfs. If I select btrfs first it just reverts back when asking it to do the partitioning for me.
I have gone in circles on a number of machines trying to force this. The only sure way to get auto configuring and BTRFS is to do auto configure first, stop the install mid way, then restart the install and do the manual partitioning where I reuse the existing partitions but change them to BTRFS first, and then continue with that install. If there is an easier way I have not found it. These seem to be mutually exclusive options for some reason.
How hard would it be just to have a selector (radio box or checkbox) to allow the autopartitioning to do an alternate fs automatically? This could save saved me literally hours of time during each new install trying to figure this out.
Definitely worth considering. Extra maintenance resource requirements aside, and the fact that not having XFCE (the only currently fully-maintained and “supported” DE) installed might not be a good experience, especially as a first impression of Qubes OS; maybe as an additional option on install or first boot?
Perhaps an option to install the Qubes contrib repo on first boot?
Something like:
Would you like to install the Qubes Contrib Repo?
What is the Qubes Contrib Repo, you might ask?
EXPLANATION
This is unofficial, and the Qubes OS team takes no responsibility for anything that happens to your machine, blah blah blah, usual disclaimers….
Would you like to enable it (and install anything from it) now?
——-
I’ll go you one further:
The option to download and install additional template RPMs on install/first boot
Is it at least an option in the current installer?
(It’s been a few months since I did my last Qubes OS install….)
I guess having it as the default option would be a call for the devs, but yeah, I could see this as potentially a good thing…
——-
I’m going to add another one:
Automated Qubes OS install and configuration, possibly via network boot (for the poor guy or girl in the IT department who has to set up hundreds of work machines )
I would like to see the option to (easily) configure firewall rules to each VM. Isolation and compartmentalization should be done on network level as well, and be accessible to the end-user.
In general, every AppVM has the need to access specific network resources. Some only need internet with access to local LAN blocked, others need access to local LAN resources only and the rest of it blocked.
A simple out-of-the-box walk-through for each new VM (all of them, in the case of a newly installed OS) would add a security layer that currently require the users to initiate and configure by themselves. I would love to see it offered as part of OS post-install configuration. [thanks and appreciation to all the hard-working coders ]
@tzwcfq is right. That’s all there in the “Firewall” tab in the Qube Settings GUI window. I’ve used it for internet-facing VMs (I didn’t want remote users printing a skull and bones on my printers at 3am to scare me, etc.), and it works like a charm.
Or are you saying:
the “Firewall” tab isn’t easy enough to use?
If so, what are your suggestions?
you’d like to see an option in the first boot?
If so, how would that work? What did you have in mind?
At the moment, it’s a cinch to understand if you’ve used iptables in the terminal, but you’d probably be a bit lost if you haven’t, so I can sort of see where you’re coming from
I never claimed there isn’t a firewall tab, except:
a. The firewall tab allow only the most basic rules, and for anything else the user has to use the terminal. Rules such as “only allowed internet”, or “NOT allowed subnet x.x.x.x” require terminal. a more sophisticated rule such as “only allow these internet URL’s” isn’t even an option, and I already posted in the past that i’d love to see OS built-in application-specific firewall but that is out of the scope of this thread.
b. I would like to see an option in first boot, right after OS install with suggestions to the user, such as “This is the “Untrusted” VM so we suggest that it only have network access to the internet but not your LAN. If you tell us what IP’s or subnets are part of your LAN we can add a rule to block this AppVM from accessing it.” or “Which access would you like to give this new AppVM? [options: Internet, specific IP’s, specific subnets, everything (not recommended)] we will obviously block access to anything not specifically permitted.”
I agree 100% with what you’re saying. It would be nice to have an “Advanced…” button or tab that allows you to get this level of functionality.
A couple of pre-defined configs presented to the user (most likely based on most common firewall functions), but with the option to customise for those that wish to…
I really like this idea. Not just for first boot, but also for the “Create Qubes VM” gui app. Would be a really good addition.
Yeah, my bad. I could have worded this a bit better. I meant that I can see where you’re coming form in terms of a user experience.
I don’t know you did that, it seems to me it can only be used to allow access to specific hosts. It’s basically an outbound allow list with a default drop rule.
I always end up having to use qvm-firewall in dom0 to configure the vm firewall, the tools are there to do it, but it would be nice with a UI where you manage firewall rules in one place.
I was reading through “Intrustion detectors in dom0”, and had an idea.
A watchdog that monitors all VMs for certain commands, file types, actions, etc., and then alerts the user “Should you really be doing this in this VM? Wouldn’t it be better in <VM-name>? Would you still like to proceed?”
It might help mitigate cross-contamination of AppVMs (for example, just using whatever web browser is currently open and on-screen), and prevent people from “self-pwning” from complacency. I could see this being particularly beneficial for new users to Qubes OS (but potentially infuriating for experienced users, though).
I haven’t thought it through fully, but I thought I’d just throw it out there…
Second this. I miss the pre-configured i3 experience I had on Manjaro. It would be nice if the installer gave users a number of DE options. Gnome, Xfce, KDE, and i3 should cover 99% of people.
How about introducing minimal VM as part of the initial install of Qubes?
minimal-VM by default for the Net/FW/USB AppVM. These VM will (probably) never have the need for everything that currently come preinstalled on a regular VM.
the option to install minimal VM via setup GUI (instead of later on via command-line)
The option to add various minimal VM which are pre-configured to a specific task, such as media watching, or internet browsing (such as using a separate VM for accessing one’s bank account).
Qubes is all about compartmentalization - I say let’s help the users realize the potential in that.
My knowledge regarding the differences between minimal and regular VM is rather limited, but I know for sure that they take considerably less space in backups
I like that idea, coupled with a quick tutorial about what they’re used for.
“Clone me, and use me as a starting point.”
But I can definitely see new users not understanding why they have to install all this extra stuff after they just installed Qubes OS, particularly if they’re not “techy”…
“Didn’t I just install Qubes? Why do I have to install more stuff? Why can’t I just use my computer? This is dumb…”
)
]
