Ok so I can graft my old VMs into standalone qubes. Although I don’t have image backups of all; I generally back up their contents.
On giving qubes PCI devices, actually I am using SR-IOV, which is a method of dividing one NIC into 8-16 ‘virtual interfaces’. These virtual interfaes are available on the host for allocation to VMs as if they are physical interfaces. No idea how/where this would be done in Qubes.
I’ve read every usage doc and am in the process of watching a spewtube series, but my questions remain.
Installing multiple daemons into one template means that although they may not be in a qube’s menu, they are still available for execution. If a threat actor gets into a qube she may be able to execute a vulnerable app and pivot to higher privileges.
Ok one can network any qube, but I don’t yet see how it’s done. I need qubes to have stable IPs on the LAN, as they are running daemons which must have a location-certain.
Another issue I haven’t mentioned is this is a ‘lights-out’ server, meaning I absolutely need remote access to everything. It would seem that this means attaching dom0 to the LAN and installing X2Go on it, however unrecommendable that may be. Some kind of out-of-band IPMI function would be ideal for this.
Regrettably it is starting to look like Qubes is not geared for enterprise-style systems.