Ultra minimal systemd-free Qubes

James369 · October 8, 2025, 1:17am

I have been researching to make the most minimal, systemd-free lightweight Qubes-VMs and am looking at Alpine-minirootfs downloads | Alpine Linux or TinyCoreLinux Downloads Tiny Core Linux. Both are less than 100mb and could even be configured to run a browser or networking related tasks.
I am curious if anybody has experimented with either build and if these could be used as templates?
There seem to be many advantages i.e small footprint, minimal attack-surface and minimal resource usage.

Reduce memory footprint: TinyCore Linux, Alpine Linux, Micropython

opened 08:20PM - 25 Feb 20 UTC

mfp20

C: other P: default

**The problem you're addressing (if any)** QubesOS major disadvantage is resour…ce consumption, and above all RAM utilization. This create problems for most of the potential users out there, especially the ones using laptops; considering a couple of (4GB+) internet browsing machines, those on laptops are often limited to 3-4 app VMs at max, and very little compartmentalization advantages. By using extreme resource optimized linux flavors it is possible to mitigate this problem and unleashing Qubes' full potential. The same applies for qubes specific tools written in python: micropython runs on less than 1MB of RAM. **Describe the solution you'd like** **Ideally** moving dom0, system VMs (net, usb), and internet browsing machines, to a musl/uclibc based distro (ex: Alpine Linux) would do the trick, but usually moving out from glibc brings to a subset of available packages, more effort to port any exotic package, and limited support from upstream distribution teams because of a smaller users number for those less popular distributions. Moreover, Alpine linux can run from a squashfs read-only fs, overlay-ed with a read-write fs (alongside a traditional rw install); it's way more flexible (and safe) than current /rw method. Another good optimization could be to slowly shift qubes specific tools to Micropython and get rid of libvirt (and its python tools). But as a start **introducing a TinyCore template would be enough** to start experimenting and give some more juice to low-RAM systems. **Where is the value to a user, and who might that user be?** Low-spec systems, laptops, are the ones to benefit most; but I'd benefit too despite my 16 cores and 64GB of RAM, as I'd be able to increase the compartmentalization level multiplying the number of concurrent VMs. **Describe alternatives you've considered** Honestly I haven't been searching for alternatives in recent times. In the past there used to be 2-3 tiny Linux distros (ex: something like "Linux On Floppy"). Some of those could be alive.

MellowPoison · October 8, 2025, 3:05am

James369 · October 8, 2025, 3:14am

Thanks, I have that installed and its great! Alpine even has a very easy way to install LibreWolf
FWIW I have tried to use his repo to make a minimal-version based on the minirootfs but failed. Then I tried stripping his version of unnecessary packages and also didn’t get the desired result. I.e. too many unnecessary packages remained and Alpine is quite funny about what it lets you remove, even with
apk del --force-broken-world

I am surprised nobody seems to have worked with tinycore yet. It seems like it would be great in Qubes.

unman · October 8, 2025, 11:22am

I have a number of core qubes, as I’ve mentioned before… But they lack
any of the Qubes integration, which is somewhat limiting.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

James369 · October 8, 2025, 11:35am

Interesting, If you don’t mind me asking, what do you use them for, was it easy to setup or do you have any tips or examples that could help me out kind sir?

arkenoi · October 16, 2025, 6:51am

liteqube is closest thing, but there is still systemd (also why not NixOS? i am thinking about moving everything to NixOS)

James369 · October 21, 2025, 11:14pm

Thanks, I tried and went very deep into liteqube at one point, even tuned some of the scripts on the 1st Git. I liked his debian-base and tor ones, but found a lot of it a bit messy. I would like to see either more mirage kernel based single task qubes (there was even a mirage-vpn around at one point) or as Unman hinted at, Core base or alpine single task qubes for sys-qubes and perhaps even a unikernel browser.

Browsers on Unikernels - Kernel
Kernel's Unikernel Browser Technology Achieves 20ms Cold Start Times, Dramatically Outpacing Docker - BigGo News
Re: NixOS, I honestly haven’t given it much of a go, but the small dabbling I have done, I found it overly complicated and daunting for the small tasks I was expecting so I gave up, I also didn’t get the feeling it was aiming for the kind of minimalism I was going for, but there seems to a be a lot of hype around it and I probably haven’t given it the time to comment.

arkenoi · October 22, 2025, 5:25pm

thanks! i am working now on migrating install to ansible and cleaning up mess a bit.

hubnottu · October 23, 2025, 9:25pm

NixOS is daunting, but there is a reason – it’s not just NixOS that you have to learn, but also Nix and Nixpkgs.

So, in addition to the “arbitrary, but regular distro differences”, you also learn:

the lingua franca that expresses the entire world
the package repository definition that allows you to easily add or tweak packages – proof is in the Nixpkgs size, the largest package repository of all
if you go beyond NixOS per se, you also learn cluster deployment (nixops et al.) and CI (Hydra et al.), also expressed in the same lingua franca of Nix

tanky0u · October 24, 2025, 12:25pm

NixOS
[… 6 lines elided]

the lingua franca that expresses the entire world

Imo, GuixOS and its Guile Scheme lang fits that “lingua franca”
definition better, as Guile Scheme is portrayed as “Officiel GNU
Extension Language”.

qubist · October 29, 2025, 2:17pm

@James369

You may want to have a look at:

James369 · October 30, 2025, 4:03am

looks good, thanks, although I don’t know how to use that at the moment.

The mirage sys-vpn I am learning/working on atm, (maybe it’s also be possible for sys-proxy?)
we have mirage firewall (perhaps a sys-net or sys-usb ?)

I tried the browser and its pretty clunky, it was designed for cloud automation, but it shows it can be done.
The firefox and chrome inside tiny-linux is basically unusable. I also built a alpine / midori vm midori - Alpine Linux packages
but that is also mostly useless.

What is very interesting is the oniux package Introducing oniux: Kernel-level Tor isolation for any Linux app | The Tor Project

I wont go into that, but I really recommend reading up on it!

Its what the inventor of tor is working on now ( a Rust rewrite of tor )

it has an alpine package:
https://pkgs.alpinelinux.org/package/edge/testing/x86_64/oniux

which could have some great applications!

qubist · November 2, 2025, 2:48pm

I haven’t used any of those. I have only worked on minifying Debian 12 minimal:

I have also asked myself about whether a different approach is more suitable:

James369 · November 4, 2025, 10:53pm

Yes that’s great work @qubist I use that in a deb-12-nano script. I also found that I was able to remove some fonts and other things.

qubist · November 5, 2025, 3:12pm

@James369

I also found that I was able to remove some fonts and other things.

Are you saying you have found even more packages that can be removed from debian-12-minimal? If yes, please comment in that other thread, so we can add them to the list.