Hi,
I have been trying to use sys-net in a headless mode and I am seeing something strange:
user@sys-net:~ > nmcli c up id myconnection
Error: Connection activation failed: Not authorized to control networking.
The same command works as expected and connects when guivm is set to dom0.
What is the reason for this?
Why should networking need GUI?
NetworkManager’s default policy (via polkit) is that only user on active local session (or root) can manage networking. Without GUIVM, there is no “active local session”… But if you have qubes-core-agent-passwordless-root, that check should be bypassed.
Thanks for the feedback.
What is the proper way to have a minimal headless sys-net without passwordless root?
I would like to make it as small as possible, ideally having only what is strictly necessary for networking, without the extra graphics stuff that qubes-core-agent-network-manager brings in.
I think it is more appropriate to have the GUI control in the GUIVM (which is its job), thus having task-based separation. I can add e.g. a panel launcher that communicates with sys-net through qvm-run and an indicator showing connected/disconnected.
You are setting yourself for a failure… without this package, NM config won’t persist, DNS won’t update and few other things.
I don’t think Network Manager supports that out of the box… You either need to be root, or a user on a proper local session. I guess you can try to adjust polkit config to allow specific user, but you’d need to figure out how and what is needed on your own.
If you want to go this way, you can use qvm-run -u root (and give your GUIVM permission to call qubes.VMRootExec service on your sys-net). But be careful what you do with qvm-run output - if your sys-net is malicious, it could try to trick your launcher to do something you didn’t intended.
That sounds like a unikernel