Startup script after boot and login to automate which VMs I start with which apps and which partitions I attach to which VMs

I want to make a startup script that automates the starting of VMs, the decryption and attachment of disks and partitions, etc. after I boot and enter my user password. Without a script I need about 10-15 minutes of active work to get everything up and running.

I don’t expect someone to write my script for me and I’ll try to answer all the questions I posed, but I’d appreciate some ideas. Also this might be useful to someone who wants to do something similar. Some of the things here aren’t Qubes-specific (like desktop files and app options). Here’s what I have so far. I haven’t tested it and my bash is a bit rusty, so there might be mistakes.

  • Ask for confirmation every major step of the way in case of a problem.

  • Ask to update VMs (decline if in a hurry, etc.).

  • Update VMs, but make clones first in case of a botched update. -clone-1 could already exist, so either find the lowest number after -clone- that’s free OR call the new VM fedora-32-clone-. The latter is better in my opinion as it makes it easy to see when a clone was made.

current_date=$(date +"%Y-%m-%d-%H-%M")
qvm-clone fedora-32 fedora-32-clone-$current_date
qvm-clone debian-10 debian-10-clone-$current_date
qvm-clone whonix-ws-15 whonix-ws-15-clone-$current_date
qvm-clone whonix-gw-15 whonix-gw-15-clone-$current_date

What’s the maximum length of a VN name?
Check if there’s enough space on disk for clones. What happens in there isn’t? Will qvm-clone gracefully fail or will the disk get filled up leading to an unusable system somehow?

  • Launch dom0 terminal with xentop -f on one tab and another tab with just a prompt. The terminal launches by itself IIRC, so I just need to open a new tab, but I don’t know how to do it from bash.

  • Launch several VMs with certain apps:

  • disp VM for LUKS decryption - Konsole
    I forgot how to make a named disp VM, but let’s call it LUKSdispVM here. If it’s not named, I’ll have to get its name (e.g., disp1234) for later.
    I attach dom0:sdb1 and other disks to the LUKSdispVM, decrypt them there and then pass the newly available LUKSdispVM:dm-1 partitions from dom0 to the target VM that will use them. Kind of like Split dm-crypt, but with only one disp VM.

qvm-run --dispvm fedora-32-dvm-no-net --service qubes.StartApp+org.kde.konsole
  • vault - KeePassXC
qvm-run --service -- vault qubes.StartApp+org.keepassxc.KeePassXC

Why doesn’t qvm-run vault --service qubes.StartApp+<program> work? -- is used to signify the end of command options, after which only positional parameters are accepted, but wouldn’t qvm-run --service qubesStartApp+<app> -- vault make more sense here?

  • VMs that will use the decrypted partitions (mainly for media, torrents, etc.) - Konsole
qvm-run --service -- mediaVM qubes.StartApp+org.kde.konsole
qvm-run --service -- torrentVM qubes.StartApp+org.kde.konsole
  • books - Dolphin
qvm-run --service -- books qubes.StartApp+org.kde.dolphin
  • personal (notes, documents, etc.) - Kate
    Can I start it like 'kate /path/to/file' and still have the session opened?

qubes.StartApp+org.kde.kate doesn’t work right now because when I save a session in Kate, it makes a new .desktop file in

~/.local/share/applications/org.kde.kate.desktop[code], which overrides the original [code]/usr/share/applications/org.kde.kate.desktop. Even though the Exec= part in the new .desktop file is the same, I can’t open it with qubes.StartApp or from the GUI menu.

qvm-run --service -- personal qubes.StartApp+org.kde.kate
  • disp VM for clearnet browsing - Firefox

[code]qvm-run --dispvm fedora-32-dvm --service qubes.StartApp+firefox

  • mail - firefox (or a disp VM for mail)
    I can’t pass a URL option to firefox with qubes.StartApp, so I’ll use the normal way of running a command in the VM.
qvm-run mail 'firefox https://<mailprovider>'

How to open more than one tab like that, especially in a disp VM that doesn’t have a saved session?

  • fedora-xx-dvm - firefox with router IP for diagnostics (I like to have it open at all times)
qvm-run --dispvm fedora-32-dvm 'firefox <router IP>'

Tor and clearnet apps should be started at different times to prevent timing correlation. Should I start clearnet or Tor first? VMs are updated via Tor, so even if I start clearnet VMs first, I’d have already connected to Tor. However, that Tor connection isn’t related to the Tor connections via Whonix, except for the entry guards who I have to pretty much fully trust to not perform correlation attacks. So I should start clearnet VMs first and after about a minute start the Whonix VMs so that someone controlling or monitoring both a site I connected to over clearnet and a site I connect to over Tor wouldn’t know I’m the same person (although they could by measuring speed, etc.).
Sleep for a random amount of time ( 20-60 seconds) after opening one of the connections and before opening the other:

sleep $[ ( $RANDOM % 40 )  + 20 ]s
  • whonix-ws - Tor Browser
qvm-run --dispvm whonix-ws-15-dvm --service qubes.StartApp+janondisttorbrowser
  • signal VM - signal-desktop
    I would prefer a terminal that starts signal-desktop so that I can view the real time logs, but I don’t know how to do that automatically.
qvm-run --service -- whonix-ws-15-signal qubes.StartApp+signal-desktop
  • Have lsblk -f | head -15 and qvm-block list in dom0.

qvm-block list doesn’t show UUIDs, but lsblk -f does. If everything is as expected, qvm-block attach LUKSdispVM dom0:sdb1 based on UUID. I have to get /dev/sdX from the corresponding UUID automatically because the /dev/sdX assignment isn’t 100% predictable .

  • In vault VM give KeePassXC the password for my LUKS passwords (or passphrases, as some people like to call them) - that has to be done manually, although I’m not sure if that’s more secure than just having the LUKS passwords in plaintext in dom0 (and in the script) since a dom0 exploit could keylog me anyway and get the KeePassXC password and the LUKS passwords.

  • Paste passwords in LUKSdispVM when prompted for decryption (or decrypt automatically somehow). Can I automate inter-VM copy-paste? Decryption should be based on UUIDs just like attaching from dom0 to the LUKSdispVM

qvm-block attach mediaVM LUKSdispVM:dm-1, but how to match dm-X to UUID to be sure I’m attaching the correct partition?

  • Mount storage in mediaVM, torrentVM, etc. (test by making a small file in each one?)

  • Launch Clementine, Dolphin, Deluge, etc. in mediaVM and torrentVM.

  • In vault VM give KeePassXC the password for my accounts (mail, etc.).

  • Login to mail, etc.

  • Close Vault

  • Automatically arrange windows within workspaces on XFCE (e.g., media windows go to workspace #3)

I found this thread about auto-mounting and decrypting disk on AppVM startup and I’ll read it as well.

Ask to update VMs

Consider just writing a function to add in .bashrc that does this. Simply don’t run the script, if you are in a hurry.

Since you are doing so many things, why not write multiple functions and then run the appropriate function as needed? This could also help with your timing/correlation concerns.

Update VMs, but make clones first in case of a botched update

Completely unnecessary IMHO. Whenever a template starts up, it keeps a backup of the last version of the root volume if qvm-volume info fedora-32:root revisions_to_keep is > 0. In case of botched upgrade, you can just qvm-volume revert fedora-32:root to rollback. If you are paranoid, you can increase the number of automatic copies, e.g. qvm-volume config fedora-32:root revisions_to_keep 2

Launch dom0 terminal with xentop

I don’t know about a specific tab, but you can use

xfce4-terminal -e 'xentop -f' --geometry=169x24 &

Edit: fixed revisions_to_keep

1 Like

Hi @QubesUser32, welcome to the forum!

This sounds like a very specific setup. In order to make it easier for people to help you I would suggest you try to break it down into it’s various components and start a thread for each. That way people can contribute to them without having to track lots of parallel conversations and also because later those discussions may help people out.

And you’ll also see that some people already did part of your setup that may interest you. One particular example is Auto-mounting and decrypting disk on AppVM startup (as you mentioned at the bottom of your post).

And then when you’re done with your full setup, you can use this thread to document what worked, what didn’t and in which threads those were solved. (But this is just an idea)

1 Like

Quoting unman from another thread:

You can also make this with i3wm, but I think this conversation deserves its own thread as there may be other (even better) ways to do it.

For complex configurations like these, using a configuration management engine like SaltSack may be a better bet – and Qubes is integrated with SaltStack (but It’s quite different from Bash scripts). In case you haven’t come across it, take a look here:

This will make your life easier (in the long run) thanks to the increase maintainability.

Bash scripts often break because you changed a tiny thing manually on your setup. Whereas with salt you instead of describing the steps to achieve your desired config (imperative) you describe how your desired config looks like (declarative). So if something changes in the path to get to your desired state, salt will manage that for you.

1 Like

Thanks a lot! I didn’t know about the automatic backups and had actually never used qvm-volume before. I think it’s a just a typo, but it should be fedora-32:root, like in the other examples, right?

And you’re right about the .bashrc that just ask if the script should be run.

I think a lot of people have multiple storage devices whose partitions they have to attach to different VMs. They could directly attach the partitions to the target VMs for decryption, but it’s less secure that way, especially if the target VM has internet access.

You’re right, definitely.

I used i3wm on Fedora a year ago and really liked it. Same with KDE, I’ve been using it for years. If I can’t find a way to do it with XFCE, I’ll probably switch to one of those.

I didn’t think it was possible to do it with Salt, but I have no experience with it anyway. I thought it could just automate the configuration of new Qubes machines so that they are similar and stuff like that. I’ll read more about it.

Thanks again, you’ve both given me a lot to think about and read!

1 Like

I’m also not do deep on salt, but I think it’s worth taking a look. I have a simple setup that deploys my i3 configuration and it works like a charm, whenever I need to reinstall Qubes.

I mentioned this since a lot of suff you mentioned seemed to be VM-specific configurations (which salt manages well), But things that are dom0 related, it can also be useful if you include there scripts and then use salt to add them to .bashrc.

Right, sorry.