Root directory impermanence and its exceptions

I am trying to make sense of something I observe in my QubesOS.

Core tenet: AppVM copies the root directory (basically everything outside of /home/user dir) from the TemplateVM, upon AppVM’s boot. From then on, any changes to the AppVM’s root directories are ephemeral. They do not survive an AppVM restart. You can do sudo apt install btop -y inside the AppVM’s terminal, and you will install the btop program in /usr/bin/btop but once you restart the same AppVM, you won’t find /usr/bin/btop there. If you want to get btop installed permanently, you should do the sudo apt install command inside the TemplateVM terminal.

Very well and so far so good.

Now, however, I am seeing a behaviour that’s strange according to this tenet above. Recently I setup an onion server inside a whonix-17 AppVM. This tor hidden onion server hosts my monero daemon’s restricted-rpc server. So, I had to enable the whonix firewall inside the AppVM allow incoming connections from the Whonix-Gateway. To do this, I edited the /usr/local/etc/whonix_firewall.d/50_user.conf using a terminal window INSIDE the whonix AppVM.

So, even though I edited a root directory file (ie, /usr/local/etc/whonix_firewall.d/50_user.conf) INSIDE an AppVM, the changes survived a reboot. Moreover, I am also seeing the same 50_user.conf file replicated under the same AppVM’s /rw/usrlocal/etc/whonix_firewall.d/50_user.conf file.


  1. I didn’t copy the 50_user.conf so how did it get there?

  2. So contrary to most other root file directories, changes in /usr/local/etc survive a reboot in AppVM? I know about the /rw directory, but the /usr/local/etc stuff was new to me. I checked the QubesOS docs but couldn’t see an explanation for this (and perhaps other such directories which survive a reboot).

So I am having some confusions regarding how my QubesOS works. If someone can shed some light and explain, that would be nice.

App qube persistence: /rw (includes /home, /usr/local, and bind-dirs)

1 Like

Yeah, I just read it now. So, if I edit the /usr/local/etc/whonix_firewall.d/50_user.conf file, upon AppVM shutdown, that file automatically gets copied to /rw/usrlocal/etc/whonix_firewall.d/50_user.conf file?

It’s not even copied, it is the same file. /rw/usrlocal is /usr/local/

I don’t see a symlink between them?

I think it’s a mount bind (like /home)


/etc/fstab includes:

/dev/xvdb            /rw            auto    noauto,defaults,discard,nosuid,nodev
/rw/home             /home          none    noauto,bind,defaults,nosuid,nodev   
/rw/usrlocal         /usr/local     none    noauto,bind,defaults        0 0

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.