Qvm-connect-tcp does not work in fedora-39-minimal template

Hi! I’ve recently tried to establish TCP connections between two qubes with fedora-39-minimal template via RPC protocols, in Qubes 4.2.0

I’ve correctly created a new policy file with proper rule as said in file /etc/qubes/policy.d/90-default.policy

Also i’ve installed as said here: Minimal templates | Qubes OS

However I still cannot establish a TCP connection via tcp between this two qubes with minimal templates. What i am doing wrong?

IMG_20240618_1534031920×1446 137 KB

As shown in this picture, curl fails. I suspect something is happening with the minimal template because changing both qubes templates to fedora-39-xfce templates works perfectly

I’ve successfully established the same connection but changing both qubes templates to default fedora-39-xfce template (i perfectly receive HTTP response in “cliente” qube)

There must be many packages i don’t figure out to install or something strange i have no idea about

Please only answer me solutions, no need security awareness

Thanks in advance

What packages did you install in the fedora-39-minimal template?

Wow, that was fast!

First i downloaded the template writing this command in dom0: sudo qubes-dom0-update qubes-template-fedora-39-minimal

I didn’t update the template, maybe works, but don’t think so because i did a fast test a week ago and still didn’t work

Then i installed this packages (with “sudo dnf install package” written in a template root shell obtained with “qvm-run -u root fedora-39-minimal xterm”):

nmap (contains ncat and that stuff)
qubes-core-agent-networking
qubes-core-agent-network-manager
qubes-core-agent-dom0-updates
tcpdump
(other packages i dont remember but still not useful)

Is something missing? For sure, please list those packages are still needed (in addition i curl www google.es in both qubes and works fine)

Do i need to restart the computer to make changes effective? Restarting the qubes might be enough but never mind

Thanks, i’ll be waiting for your reply!

Srry I didnt reply you directly, those are the packages installed appart from those preinstaled in the template

Thanks in advance, let me know if you know how to fix this!

I’ve tested with debian-12-minimal with just netcat-openbsd, curl and socat installed and it worked for me.
I don’t have fedora minimal template to test this right now.
Maybe some issue with selinux configuration.
Try to run setenforce 0 as root in both qubes and check again.

I’ve installed fedora-39-minimal template and installed netcat package inside and qvm-connect-tcp worked for me without a problem.

Fedora minimal template still not working for me. Also setenforce 0 command cannot be found. Here i describe exactly what i do:

(In dom0)

sudo qubes-dom0-update qubes-template-fedora-39-minimal

qvm-run -u root fedora-39-minimal

(in root shell)

dnf install qubes-core-agent-networking qubes-core-agent-network-manager nmap netcat netcat-openbsd curl socat

(Exit and shutdown template qube)

(Create two qubes cliente and servidor with fedora-39-minimal-template and start both with xterm no root)

(In both qubes, returns webpage correctly)

curl www.google.es

(In servidor qube)

Create file hello.http with HTTP/1.1 200 OK response status and simple http with body tags

ncat -l localhost 8080 < hello.http

(In cliente qube)

qvm-connect-tcp ::8080
(Binding TCP ‘@default:8080’ to ‘localhost:8080’…)
curl localhost:8080

curl: (52) Empty reply from server

(Servidor ncat call still blocking)

May you provide me all exact steps in order you did to archieve that? I also tried to run in fedora-39-minimal template root terminal “dnf update && dnf upgrade” but still not working

(Still working changing to fedora-39-xfce template after trying all this and nothing else)

(Both qubes have access to internet via sys-firewall)

(Recent clean qubes os installation and checked .iso integrity so that should not be installation problem)

I’m going to try with minimal debian template, i hope that works

Thank you so much, if works with debian, i will mark your solution as correct, thanks!

Again direct reply to you didn’t work, dnw

Install fedora-39-minimal using Qubes Template Manager GUI tool or qvm-template command line tool in dom0. I’ve tried with both fedora-39-minimal template without updates and fedora-39-minimal with latest updates and they both worked.
Install netcat packages in fedora-39-minimal template:

dnf install netcat

Create two app qubes a and b based on fedora-39-minimal template.
Add qrexec policy in dom0 /etc/qubes/policy.d/30-user.policy:

qubes.ConnectTCP +8080 a @default allow target=b

Start qube b terminal and run these commands there:

echo -e "HTTP/1.0 200 OK\n\nTEST" | nc -l 8080

Start qube a terminal and run these commands there:

qvm-connect-tcp ::8080
curl localhost:8080

Yeah, this works!

I think is ncat version problem because ncat still doesn’t work but nc works perfectly, i don’t know what is happening

I’ll write the solution with ncat here if found

Thank you very much!

Check ncat man/help, I’m not sure that you need to specify for it to listen on localhost, maybe just ncat -l 8080 would be enough.

Works with ncat -l 8080 < hello.http perfectly. I wonder why did it work with different syntax in fedora-39-xfce, it’s a little bit strange

IMG_20240618_1532061920×1446 118 KB