Bad example. Minimal templates are not for experienced users.
I’m guessing you meant inexperienced users.
This inexperienced user certainly became more experienced trying them out! (All because I didn’t like what I deemed to be contextual bloatware (belongs in template A but not in template B, yet is in both).)
I don’t feel so bad now.
I’m a complete rookie when it comes to matters GPG.
exactly what brought me to set up minimal templates as well. especially since I prefer having a specific and separate template for (almost) each app-vm.
Actually, because the proxy is listening on 8082 and it’s configured to
allow inbound traffic to that port, you can use the proxy with any
qube, including standalones and qubes that dont have working qrexec.
You just need to have the proxy somewhere upstream, and configure using
the normal mechanism for specifying a proxy.
You could do this with Windows if you had a number of such templates. I
have no idea what the structure of a windows update request might be, or
if it would work.
1 Like
I’m not a windows user.
The notes clearly say that changes will be made for every template that
exists on installation.
So yes, every template is opened, and is reconfigured if it is Arch,
Debian or Fedora. Other templates should just close down without changes
being made.
1 Like
Yes it is. Based on feedback I’ve received, it seemed that users wanted
those media qubes to have extra packages, as well as networking
available. It doesnt take much for a debian-minimal to morph in to a
stock debian. So I opted to base on the stock.
I don’t run that myself,(my media qube is minimal), and I’m open to
persuasion for this package.
2 Likes
I’m one of those people who is struggling. I couldn’t get the GPU vm installed. I was soooo close too, everything else worked. I loved it, but had to put Qubes on hold, till my next break. In production right now, and only my new pc is Qubes compatible, it’s the reason I chose it. I script like yours would definitely help, especially along installing the gpu vm.
How I can install this with salt ?
Do you want a salt formula to set-up the 3isec repository and install
the tool?
I can do that.
1 Like
Yes, I would appreciate that.
Got it working yesterday and added the split-gpg, multimedia and cacher templates and VMs. What is unclear for me - how can I start updates manually now (after all is changed to update via sys-cacher) - do I just have to wait, until the Qubes Updater shows available updates now?
Does launching Qubes update tool and manual selecting updates invoke cacher? If everything is properly set, I’d be surprised “no” would be the answer.
Yes. If it is not running it should be started as part of the update
process.
The user experience for running updates should be unchanged, and cacher
should be transparent to user.
Some issues -
-
if you want to run updates over Tor you must have your Tor
proxy upstream of cacher - either directly as it’s netvm, or as some
netvm upstream. This isn’t set automatically if you select “update over
Tor” and wont be unless the package becomes official. -
@Insurgo has pointed out that the package doesn’t play nicely with
Whonix. In particular it will rewrite repository definitions in Whonix
templates, and set a policy that overwrites the Whonix defaults. I’ve
fixed the latter and am thinking about the former issue. If you have
Whonix templates you should restore the repository definitions either by
runningsed -i s^http://HTTPS///^https://^ REPO_FILE, or by running
qubesctl --skip-dom0 --targets=WHONIX_TEMPLATE state.apply cacher.restore_templates
Replace REPO_FILE with the path to the repository definition.
Replace WHONIX_TEMPLATE with the name(s) of your Whonix templates.
- On install, the package attempts to open all installed templates to
make necessary changes. This includes Windows qubes and standalones:
it’s unlikely that you will have configured these to be capable of
salting, so this is a waste of time. I don’t have a way round this.
You will have to just shutdown such qubes.
If you have standalone created from existing templates, these will be
capable of being salted, and can be controlled and updated using the GUI
tool.
unman
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
3 Likes
I am to comment that, if you are accustomed to installing pkgs in dispvm to try them out, or to satisfy some compiling requirements, before actually modifying your templates, you will have to reverse the cacher’s impact on your dispvm’s root template ( like fedora-36). Or you won’t be able to fetch repo info in that dispvm.
that’s the answer especially for my problem. Thanks a bunch and fixed now.
Yes, all template based qubes inherit the settings in the template. This
includes the repository definitions.
You can reverse the changes - sed -i s^http://HTTPS///^https://^ REPO_FILE
I don’t - I have cacher in the network path -
qubes → cacher → sys-pihole → sys-net
and I set the proxy in the qubes.(You can do this from
/rw/config/rc.local if you use qubesdb-read /type to detect if it’s an
AppVM, and then set proxy to the IP address on your system.)
apt-cacher-ng has many nice features.
One that I use is to restrict the use of the proxy from templates - I
never agreed with the decision to remove restrictions from tinyproxy.
You probably know that you can use the listening proxy from templates to
do all sorts of things besides updates - download keys, access arbitrary
sites, etc.
If you edit /etc/apt-cacher-ng/acng.conf and set ForceManaged 1, then
the proxy will only allow access to the remapping backends you have
defined.
This is intermediate level Qubes: it increases the security of templates
a little, but requires more user intervention in some cases. It could
be that you never need to reset this, depending on your usage.
When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes
If you guys have implementation recommendation into making cacher play nicely with whonix templates, so that whonix templates can also reuse debian-11 downloaded packages from cacher instead of redownloading them for each Whonix templates individually, please comment at https://github.com/unman/shaker/issues/12
what would happen with
sys-net->sys-firewall->cacher1->sys-whonix->cacher2
setup, while setting for all non-whonix qubes to update from cacher2, and all whonix-based qubes from sys-whonix?
“Other templates should just close down without changes being made.”
Maybe my system is just slow but it seemed the windows templates didn’t just close down without changes being made; it was taking a while to do SOMETHING.
Two of the templates did not shut down at all. Hours later they were spinning, still, and I just did a kill on them.
It’s my fault for never backing them up and removing them. I got to be the guinea pig (occasional) windows user [as little as possible, but I cannot, for example, get my printer to work on a Linux qube, nor will my Canon camera software].
But I do in earnest suggest something be put in to just skip windows templates; they don’t seem to tolerate this well.