Honestly I don’t see the point of using Qubes OS then.
You’re connecting all VMs with Samba which is not known for its security. So if one of your VMs is owned, your others can be easily exploited via that Samba server as well.
You might want to reconsider your use case (either for the Samba server or for Qubes OS).
If you read Federico’s post properly you will see that he says he wants
to samba share between some standaloneVMs, not all VMs.
There are many use cases where you might want to use Qubes while
sharing data between individual qubes, usually within the same security
domain.
As far as sharing with Samba, then you should connect the qubes to
another netvm - not sys-firewall, because it’s stated that you dont want
to touch sys-firewall. Then implement standard firewall rules to allow
samba traffic between the qubes - read https://www.qubes-os.org/doc/firewall - the section on “Enabling
networking between two qubes”
You can find the firewall config you need at www.samba.org - basically
udp 137/138 and tcp 139/445.
As for a shared storage qube, the simplest implementation would be to
run rsync over qrexec - take a look at https://github.com/unman/qubes-sync where I discuss, and provide a
solution.
OK
I have 2 VMs
I have to share persistent files, ie inside a folder of one of the 2 machines, or set up a new machine for this.
Do you have a way to do it?
I’m not interested in using samba … ok?
I need a repository from which my machines can download files. Indifferent the type …
limits
100 Gb of space
Access via folder and mint deb linux interface.
Is there any way?
thank you very much to those who want to answer.
Federico Gavazzi
OK
I have 2 VMs
I have to share persistent files, ie inside a folder of one of the 2 machines, or set up a new machine for this.
Do you have a way to do it?
I’m not interested in using samba … ok?
I need a repository from which my machines can download files. Indifferent the type …
limits
100 Gb of space
Access via folder and mint deb linux interface.
Is there any way?
thank you very much to those who want to answer.
Federico Gavazzi
Hi again Frederico,
sorry for misunderstanding (“all” vs “two”/“some”) you in the first place, unman was right about that.
In general the following decision matrix for data sharing applies:
a. Qubes tools installed on involved VMs, rare data sharing → qvm-copy
b. Same VM OS, lots of data sharing → make one VM out of the two and/or move the less shared data to a dedicated VM (there’s no real security need for a split)
c. Different OS, no Qubes tools installed, lots of data sharing (your case it seems) →
Build a network infrastructure looking like this:
sys-net – sys-fw – sys-server-net – your VM 1
>
> – your VM 2
I.e. create a new VM sys-server-net and connect your VMs with qvm-prefs [your VM 1] netvm sys-server-net to the sys-server-net VM. Also connect the sys-server-net VM to your sys-fw, if you need internet access (otherwise not needed): qvm-prefs sys-server-net netvm sys-fw.
Then you could install your Samba server (or ssh or whatever you prefer) on sys-server-net and you’ll have to allow whatever connections you want to allow between the VMs on sys-server-net: Edit /rw/config/qubes-firewall-user-script on sys-server-net and make it executable for that. It’s standard iptables as in any other environment, i.e. you’ll probably have to allow access on the INPUT chain if you installed a server on sys-server-net. You can only break networking stuff related to your two VMs on sys-server-net, so nothing to worry about. See [1] for details.
unman pretty much said the same though. His sync tool might be an alternative; I’m just not sure whether it works without any Qubes tools installed.