Reviving a dead AppVM

mono · September 16, 2020, 12:47pm

PC was off for a few Months, i do make backups but not 100% sure if anything of importance is in the home folder and not already backed up.

AppVM Starts
Applications do not start though.

   qvm-run -a personal xterm 
   Running 'xterm' on personal

nothing happens, no prompt, just hangs there untill i hit ctrl+c

Fedora 32 (Thirty Two)
Kernel 4.19.142-1.pvops.qubes.x86_64 on an x86_64 (hvc0)

localhost login: [   11.821673] kauditd_printk_skb: 39 callbacks suppressed
[   11.821676] audit: type=1106 audit(1600260187.712:53): pid=1290 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="user" exe="/usr/bin/qubes-gui-runuser" hostname=localhost addr=? terminal=/dev/tty7 res=success'
[   11.821853] audit: type=1104 audit(1600260187.712:54): pid=1290 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_rootok acct="user" exe="/usr/bin/qubes-gui-runuser" hostname=localhost addr=? terminal=/dev/tty7 res=success'
[   21.932952] audit: type=1131 audit(1600260197.823:55): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   21.961386] audit: type=1131 audit(1600260197.851:56): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user-runtime-dir@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   28.650823] audit: type=1100 audit(1600260204.541:57): pid=1575 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_rootok acct="user" exe="/usr/lib/qubes/qrexec-agent" hostname=? addr=? terminal=? res=success'
[   28.651938] audit: type=1103 audit(1600260204.542:58): pid=1575 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_rootok acct="user" exe="/usr/lib/qubes/qrexec-agent" hostname=? addr=? terminal=? res=success'
[   28.681775] audit: type=1130 audit(1600260204.572:59): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user-runtime-dir@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   28.693159] audit: type=1101 audit(1600260204.583:60): pid=1578 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix acct="user" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   28.693198] audit: type=1103 audit(1600260204.583:61): pid=1578 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=? acct="user" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
[   28.693289] audit: type=1006 audit(1600260204.583:62): pid=1578 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=2 res=1
[   28.697310] audit: type=1105 audit(1600260204.587:63): pid=1578 uid=0 auid=1000 ses=2 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="user" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   28.804843] audit: type=1130 audit(1600260204.695:64): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   28.812056] audit: type=1105 audit(1600260204.702:65): pid=1575 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="user" exe="/usr/lib/qubes/qrexec-agent" hostname=? addr=? terminal=? res=success'

PS
not able to post full log due to forum limitation

mono · September 16, 2020, 12:56pm

Installed fresh Debian 10 Template, run updates in TemplateVM, checked if
qubes-mgmt-salt-vm-connector is installed, which is the case.

This time though i got a failed code: 127

qvm-run -av personal xterm 
Running 'xterm' on personal
personal: command failed with code: 127

How to proceed?

unman · September 16, 2020, 2:57pm

If the qube has started, (and it looks as if it has), then you can try
in dom0: sudo xl console <qube_name>, which should give you console
access so you can at least start to poke around.

If all you are interested in is getting the data out, then you can
mount the private disk in dom0 or attach it to another qube to copy the
data out.

mono · September 16, 2020, 4:34pm

Thanks, i was able to gain access via console!
Navigation though seems different, Backspace spills out ASCI chars etc.

How do i figure out where the private disk is located?

unman · September 16, 2020, 11:11pm

In dom0, examine the contents of /dev/qubes_dom0:
ls -l /dev/qubes_dom0

You will see the private images:
vm-qube-private

If necessary you can mount to access the files.

qubesnewb · September 18, 2020, 1:22am

add -r

like sudo xl console -r [domain]

mono · September 18, 2020, 1:57am

Not exactly sure how i would mount that private image without compromising security if i mount it in dom0.

Used qvm-copy in terminal to move needed files to a fresh AppVM.

unman · September 19, 2020, 12:39pm

I think there is a confusion that I often see in Qubes.
Except for rare circumstances, there is almost no risk in
copying/moving files between qubes and/or copying files in to dom0.
The risk arises when you execute or use the file - and having the file
there might encourage you to do this.

As always, you must evaluate the likely attack vectors ( and your value as
a target).

qubesnewb · September 26, 2020, 5:22am

agree with this!

qubes-os does very good telling you a lot of stuff is bad

and that makes people think everything is bad!