I’m wondering if there are any risks associated with changing the template of an AppVM. For example, I have an AppVM based on the whonix-ws-15 template - is there risk of anything going astray when I navigate to Settings > Template, and change it to whonix-ws-16? The same applies for my Debian 10 AppVMs to Debian 11.
The uncertainty is because I don’t understand what Qubes is doing in the background when I make this change in the settings GUI. Could someone please give me insight? Is a new AppVM based on the selected template being spun up and the content is copied over?
So in short, should I clone an AppVM before switching it’s template?
Thanks so much!
In the background, Qubes takes the root filesystem from the TemplateVM and the /home partition stays the same in the AppVM. So if you trust both templates equally, nothing bad should happen. More details: Templates | Qubes OS.
2 Likes
If you have files in private storage with system or custom userids and groupids, you should make sure those user/group ids exist in the new template too, and that they map to the same users/groups.
Especially if you use a lot of bind-dirs.
Sorry, could you clarify what you mean by “private storage”? thanks! Storage in the App Qube in the /home partition?
Files in /home, /usr/local, and more generally anything in /rw (like bind-dirs).
1 Like
So if I understand correctly, with a template change of an App Qube not only /home but also /usr/local and /rw will persist, but my template UID and GID settings need to be the same as the old template to have the same access permissions?
Everything in the private volume (/dev/xvdb) persists. It is mounted as /rw and (according to findmnt) parts of it are bind-mounted as: /home, /usr/local, and other places configured by bind-dirs.
If you don’t go around creating new users/groups, and don’t use bind-dirs, then they usually already exist in the new template under the same ids, so nothing needs to be done.
1 Like
Awesome, I don’t really understand xen /dev/xvd* but this is a great explanation of what I need to know. Thank you!
Edit: For anyone else who wants to have a better understanding of /dev/xvd*, : Template implementation | Qubes OS
1 Like