Strategies to migrate dom0 root files to new physical machine

I see that qubes docs saying:

only the home directory is backed up. Therefore, if there are files outside of the home directory you wish to save, you should copy them into the home directory prior to creating a backup.

Now I have some edits to the policy files for various tools such as split-ssh, split-gpg, along with possible other edits. QubesOS backup tool not backing these up is a bummer, because such policy files are scattered around various directories and files.

Are there any strategies for locating the user edited policy files and migrating them to the new machine that other users have?

Short answer: symlinks

Long answer:

Symlinks on Linux are one of the most powerful underestimated tools in the hand of users to facilitate transfer of individual files to user’s home directory. Some use cases:

  1. Actual custom policy files could be within user’s home directory. Symlinks to those files could be created at /etc/qubes/policy.d
  2. User’s custom salt formulas could be within user’s home directory. Symlinks to them could be created at /srv/sat/...
  3. Actual config files at /etc/* could be stored in user’s home directory. Symlinks to them could be created there.
2 Likes

Interesting answer. How would symlinks work with files that has to be owned by the root user and group? the files in my home dir would have root as their owner and groups?

Yes. root could create and modify files everywhere including users directories. With any ownership & permission. In many cases the original software will not care about ownership and permissions (e.g. the policy files). In some cases it is sensitive (e.g. salt files).

1 Like

That’s a cool workflow for making changes to policy files and still keeping them in your home dir (so that the qubesOS backup tools grab them). I will consider migrating to this setup with my QubesOS. Thanks for the idea.

1 Like

I have this command running once in a while so most important files are picked up with dom0 backups

rm -f ~/backup_dom0_extra_home.tar.gz
sudo tar czvf ~/backup_dom0_extra_home.tar.gz /root/ /etc/ /srv/user*
3 Likes

@alimirjamali the breadth of the changes to my dom0 /etc/ directory that I would like to migrate to a new physcial machine’s dom0, that I was able to recognize, so far, are the following files:

  • /etc/qubes/policy.d/30-user.policy
  • /etc/qubes/policy.d/50-config-splitgpg.policy
  • /etc/qubes/policy.d/50-ssh.policy

These are the files that I’ve manually modified on the commandline fitted to my workflow and usecases. However, upon closer look, I realize that the 50-config-splitgpg.policy and the 50-ssh.policy files’ contents might as well be included in the 30-user.policy file. Because the aforementioned 50-* files just contain lines such as:

qubes.Gpg * <gpg-frontend-qube> <gpg-backend-qube> ask target=<gpg-backend-qube>

or

qubes.SshAgent * <ssh-frontend-qube> <ssh-backend-qube> ask target=<ssh-backend-qube>

These two kinds of lines that I have inserted via sudo vim command are very similar to what I have inserted to the 30-user.policy file, via simply vim command, making the 30-user.policy file belonging to my user’s, and thus possibly simplifying the symlinking a file from my user’s home directory to the /etc/qubes/policy.d directory.

Did such a thing occur to you in your symlinking workflow: that, you can collect ALL your customizations to the qubes-os policies into your 30-user.policy file?

I have more than one custom policy file. For example one for sys-audio, one for personal qube, …

One side note that the Qubes OS Policy Editor (GUI) can not edit symlinked policy files (I just recognized it). You will be have to use vim or other text editors for modifying symlinked policy files (at this moment). This is the disadvantage of the symlink strategy at this moment. I will have to work for a fix for this.

1 Like

I am more than OK with editing the policy files in my home directory (which then get symlinked to the /etc/qubes/policy.d/ dir) with vim (or jove, if it was included by default in dom0 haha).

Why do you not collect them all under the 30-user.policy file?

Just personal preference. Better organization of policies in individual files.

1 Like

So, you have 30-sys-audio.policy, 30-personal-qube.policy, etc. files? I am interested in the number preceding the file names of your custom policy files – they are all a low number, am I rightly guessing?

I believe policies are evaluated sequentially (this type of numbering scheme is usually like this). Lower or higher numbers are usually relevant only if there is a conflict. I can check this up for you if you like.

If this doesn’t offend your privacy, I would be interested in seeing a tree command output of your /etc/qubes/policy.d/ directory, OR, only the names of your custom user policy files.

2 Likes

Yep. I have just symlinked my /home/user/30-user.policy file to the /etc/qubes/policy.d/30-user.policy file as well. In contrast to your setup, I will be collecting ALL my mods to the policies in this single file (I will be using comments in that file to structure it). I will also move the contents of the split-ssh and split-gpg configs into my 30-user.policy file. This should make migrating my dom0 to a new physical machine a breeze.

1 Like

Nice and simple, but why not “/srv/” instead of “/srv/user*”?

I don’t think users are supposed to modify stuff in /srv/ except in /srv/user*, but feel free to adapt the paths of course.

I try to modify the least things possible manually, but if you have some files in /var or /opt/ just add them to the backup list.

Makes sense, just saw formulas and salt folders and thought this would be some custom things already but I guess these are just the shipped ones…