From f14b5dd8bdd2d0cd9210486ebe2a61f5833d9992 Mon Sep 17 00:00:00 2001 From: TimFW Date: Mon, 8 Feb 2016 19:04:55 -0500 Subject: [PATCH 01/37] Add full instructions for Archlnux Template build Replaced short orginal intro and link to the dated developer's section template example with step by step instructions as discussed in the devel mailing list. I have reviewed the steps and checked the text but please review and make any changes/corrections as needed. --- managing-os/templates/archlinux.md | 650 ++++++++++++++++++++++++++++- 1 file changed, 635 insertions(+), 15 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index d7e61f21..60129ef2 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -16,27 +16,647 @@ be considered experimental as Qubes developers team use mainly Fedora-based VMs to test new features/updates. Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). -He also provides binary updates for the template, which are signed using this -key: - pub 2048R/C1833B9C 2014-03-27 [expires: 2016-03-26] - Key fingerprint = D85E E12F 9678 51CC F433 515A 2043 E7AC C183 3B9C - uid Olivier MEDOC (Qubes-OS signing key) +
+ +##Instructions + +
+**These are the instructions for Qubes 3.1. They will take you step by step thru the entire process start to finish** + +*Note: Currently there are no binary packages and it must be compiled from source using the instructions below.* + +
+
+
+**1: Create and configure VM to use for template building:** + +* The VM should be based on a Fedora template. It's best to use a standalone VM. I created a standalone VM based on + the Fedora 23 template. I named the VM “**development**”. These instructions assume a standalone VM based on a Fedora template is being used. +
+
+ +
+
+* Ensure there is at least 25GB preferably 30GB of free space in the private storage. I made the private storage 30GB to be safe. +
+
+ +
+
+ +*Note: Unless otherwise noted, all commands are from within the “development” VM or whatever you named your standalone VM used for building the template.* +
+
+
+ +**2: Create GitHub Account(optional):** + +* It can be helpful. Creating only a basic account is all that is needed. This will allow you to help, going forward, with the Qubes project. You could be help edit errors in documentation. It can also be of use building other templates. + +* Create user account here https://github.com +
+
+ +
+
+
+ +**3: Install necessary packages in the 'development' VM to use "Qubes Automated Build System":** + +* Necessary packages to install: + + * git + + * createrepo + + * rpm-build + + * make + + * rpmdevtools + + * python-sh + + * dailog + + * rpm-sign +
-Install -------- +* The tools can usually be installed all together with the following terminal command string: -Currently we do not ship ready to use binary package. It can be compiled using -[this instructions](/doc/building-archlinux-template/). + * **$ sudo dnf install git createrepo rpm-build make wget rpmdevtools python-sh dialog rpm-sign** +
+
+ +
+
+
-Olivier provides binary package build by himself, you can get it for: -* Qubes R2 [here](https://groups.google.com/d/msgid/qubes-devel/54CE3FB1.3050708%40yahoo.fr). -* Qubes R3 [here](https://groups.google.com/d/msg/qubes-users/RI3KQVEEc30/h5nsNw_SHTQJ) +**4: Installing the "Qubes Automated Build System":** + +* To get the most current build system its best to use marmarek's git repository. + + * $ **git clone https://github.com/marmarek/qubes-builder.git** +
+
+ +
+
+ +* You will now have the Qubes Builder System enviornment installed in the directory below: + + * **/home/user/qubes-builder** +
+
+
+ +**5: Configuring setup script to create builder.conf file:** + +* You will be creating the builder.conf file which tells where and what to use. The most automated, and in in this case the easiest, way to create this is to use the script that is provided in Qubes Builder. Its named '**setup**'. Before running the script you need to edit one file it uses. + + *In the future this should not be needed once a change is made to the 'setup' script.* + + * Edit the '**qubes-os-master.conf**' which is found in **/home/user/qubes-builder/example-configs** Use the text editor of your choice. + + * **$ cd /home/user/qubes-builder/example-config/** + + * **$ nano -W qubes-os-master.conf** or **$ gedit qubes-os-master.conf** or etc…. +
+
+ +
+
+ * Go to the first line containing '**DIST_VM ?= fc23**' it will be preceeded by line '**DIST_DOM0 ?= fc20**'. Remove '**fc23**' or whatever is listed there leaving only '**DIST_VM ?=**'. Then save the file and close the text editor. +
+
+ +
+
+
+ +**6: Run the 'setup' script to build the builder.conf file** + +* Run the 'setup' script located in '**/home/user/qubes-builder/**' Make sure you are in directory '**qubes-builder**' + + * **$ cd /home/user/qubes-builder/** + + * **$ ./setup** +
+
+ +
+
+ * First screen will ask you to import 'Qubes-Master-Signing-key.asc'. The 'setup' script not only downloads but confirms the key to that of the key on Qubes-OS website. + + * Select '**YES**' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * Next screen will ask you to import Marek Marczykowski-Goracki (Qubes OS signing key). Again 'setup' will confirm this key to the fingerprint. + + * Select '**YES**' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * This screen will give you the choice of which Qubes Release to build the template for. + + * Select '**Qubes Release 3.1**' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * Screen "**Choose Repos To Use To Build Packages**" + + * Select 'marmarek/qubes- Unstable-Bleeding Edge for Development' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * Screen '**Builder Plugin Selection**' will gives choices of builder plugins to use for the build. + + * Deselect '**Fedora**' + + * Deselect '**mgnt_salt**' + + * Select '**archlinux**' + + * Select '**OK**' Press **Enter** +
+
+ +
+
+ + * Screen '**Get Resources**' wants to download additional packages needed for the choosen plugin/s. + + * Select '**OK**' Prss '**Enter**' + + * Upon completion you will get choose '**OK**' to proceed to the next screen + + * Press '**Enter**' +
+
+ +
+ +
+
+ + * Screen '**Template Distribution Selection**' allows you to choose the actual template/s you wish to build. + + * Scroll Down to the very bottom (it is off the screen at first) + + * Select '**archlinux**' + + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + *Note: 'Setup' will close and will output the text of the created build.conf file as well as the needed **make** commands to build the template* +
+
+ +
+
+
+ +**7: Install all the dependencies: (make sure you are in the “qubes-builder” directory to run the following cmds)** + +* **$ make install-deps** +
+
+ +
+
+
+ +**8: Get all the require sources for the build: (Note: this may take some time)** + +* **$ make get-sources** +
+
+ +
+
+
+ +**9: Make all the require Qubes Components:** + +* **Note:** You can run a single command to build all the Qubes components or you can run them each individually. + Both ways below: + + * Single command to build all Qubes components together: (this command can take a long time to process depending of your pc proccessing power) + + * **$ make qubes-vm** +
+
+ +
+
+ + + * These are the indivual component 'make' commands: + + * **$ make vmm-xen-vm** + + * **$ make core-vchan-xen-vm** + + * **$ make core-qubesdb-vm** + + * **$ make linux-utils-vm** + + * **$ make core-agent-linux-vm** + + * **$ make gui-common-vm** + + * **$ make gui-agent-linux-vm** +
+
+ + +**10: Make the actual Archlinux template:** + +* **$ make template** + +
+
+ +
+
+
+ + +**11: Transfer Template into Dom0** + +* You need to ensure these two files are in the '**noarch**' directory + + * **$ cd /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/** + + * **$ ls** *(confirm the below two files are there)* + + * **install-templates.sh** (script to install template in dom0) + + * **$ cd noarch** + + * **$ ls** + + * **qubes-template-archlinux-X.X.X-XXXXXXXXXXXX.noarch.rpm** (this is the template package 'X' replaces version and build digits) + + +
+
+ +
+
+ +* **Transfer the two files into Dom0** + *Note: as there is not a typical file transfer method for Dom0, for security reasons, this less than simple transfer function has to be used* + + * Swtich to Domo and open a terminal window. + + **Note:** Take care when entering these cmd strings. They are very long and have a number of characters that are easy to mix '**-**' vs '**.**' '**Templates** (correct) vs **templates** (wrong) or **Template_**'(also wrong) + + + * **$ cd /** + + * **$ sudo qvm-run --pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh** + + * **$ sudo qvm-run pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/noarch/qubes-template.archlinux-3.0.4-201512290227.noarch.rpm' > /home/user/Templates/qubes-template-archlinux-3.0.4-201512290227.noarch.rpm** + +
+
+ +
+
+ +
+
+ +
+
+
+
+ +**If everything went correct there should be a Archlinux template listed in your Qubes VM Manager** + +
+
+
+--------------- + +#**Package Manager Proxy Setup Section** + + +One last thing to setup to have a "PROPERLY" functioning archlinux template. + +Archlinux package manager Pacman is a fine package mangers execpt that we could not find a way to configure it to use the Qubes Update Proxy Service (QUPS) that would compliy with Qubes QUPS usage policy. + +*If someone does find a way please post to the Qubes-Users or Devel google groups mailing list.* + +Powerpill is a full Pacman wrapper that not only give easy proxy configuration but futher offers numerous other advantages. + +Please check out: + +[Archlinux Powerpill](https://wiki.archlinux.org/index.php/powerpill) + +[XYNE's (dev) Powerpill](http://xyne.archlinux.ca/projects/powerpill/) + + +**Important Note:** Until Powerpill is configured you will have to open network access to the template to get the intial packages etc downloaded. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services thru the same window. Remember to change it back if you choose the later route. Actions needing network access will be noted with (needs network access) + +
+
+ +**1: Editing Pacman's configuration file (pacman.conf)** + +* Open archlinux terminal app + +* edit /etc/pacman.conf + +* **$ sudo nano -w /etc/pacman.conf** + +* Below is the output of a correct pacman.conf file Make the changes so your file matches this one or rename the orginal and create a new one and copy and paste this text into it. Text should be justifed left in the file. The changes from your default are to make gpg sig signing mandatory for packages but not required for DBs for the archlinux repos. Also to add the repo (at the end) for the Powerpill package. + + +
+
+ + + # + # /etc/pacman.conf + # + # See the pacman.conf(5) manpage for option and repository directives + + # + # GENERAL OPTIONS + # + [options] + # The following paths are commented out with their default values listed. + # If you wish to use different paths, uncomment and update the paths. + #RootDir = / + #DBPath = /var/lib/pacman/ + #CacheDir = /var/cache/pacman/pkg/ + #LogFile = /var/log/pacman.log + GPGDir = /etc/pacman.d/gnupg/ + HoldPkg = pacman glibc + #XferCommand = /usr/bin/curl -C - -f %u > %o + #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u + #CleanMethod = KeepInstalled + #UseDelta = 0.7 + Architecture = auto + + # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup + #IgnorePkg = + #IgnoreGroup = + #NoUpgrade = + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + #NoExtract = + + # Misc options + #UseSyslog + #Color + #TotalDownload + CheckSpace + #VerbosePkgLists + + # By default, pacman accepts packages signed by keys that its local keyring + # trusts (see pacman-key and its man page), as well as unsigned packages. + #SigLevel = Required DatabaseOptional + LocalFileSigLevel = Optional + #RemoteFileSigLevel = Required + + # NOTE: You must run `pacman-key --init` before first using pacman; the local + # keyring can then be populated with the keys of all official Arch Linux + # packagers with `pacman-key --populate archlinux`. + + # + # REPOSITORIES + # - can be defined here or included from another file + # - pacman will search repositories in the order defined here + # - local/custom mirrors can be added here or in separate files + # - repositories listed first will take precedence when packages + # have identical names, regardless of version number + # - URLs will have $repo replaced by the name of the current repo + # - URLs will have $arch replaced by the name of the architecture + # + # Repository entries are of the format: + # [repo-name] + # Server = ServerName + # Include = IncludePath + # + # The header [repo-name] is crucial - it must be present and + # uncommented to enable the repo. + # + + # The testing repositories are disabled by default. To enable, uncomment the + # repo name header and Include lines. You can add preferred servers immediately + # after the header, and they will be used before the default mirrors. + + #[testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [core] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + [extra] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + #[community-testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [community] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + # If you want to run 32 bit applications on your x86_64 system, + # enable the multilib repositories as required here. + + #[multilib-testing] + #Include = /etc/pacman.d/mirrorlist + + #[multilib] + #Include = /etc/pacman.d/mirrorlist + + # An example of a custom package repository. See the pacman manpage for + # tips on creating your own repositories. + #[custom] + #SigLevel = Optional TrustAll + #Server = file:///home/custompkgs + + [multilib] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + #[qubes] + #commented out as it errors and is not current + #Server = http://olivier.medoc.free.fr/archlinux/pkgs/ + + [xyne-x86_64] + # Added to download powerpill app + # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ + # Packages for the "x86_64" architecture. + # Note that this includes all packages in [xyne-any]. + SigLevel = Required + Server = http://xyne.archlinux.ca/repos/xyne + + #end of file + -Known issues ------------- +
+ +The addition of the above xrne-x86_64 repo is needed for the repo that contains powerpill. + +
+
+
+ +**2: Setting Up GPG** (needs network access) + +* Initialize GPG Keyring + + * **$ sudo pacman-key --init** + +* Populate the keyring with Archlinux master keys + + * **$ sudo pacmna-key --populate archlinux** + + * Confirm keys with those at [Archlinux Master Keys](https://www.archlinux.org/master-keys/) + + * For more information on Pacman key sigining: [Pacman Package Key Signing](https://wiki.archlinux.org/index.php/Pacman/Package_signing) + +
+
+ +**3: Install Powerpill (Pacman wrapper)** (needs network access) + +* **$ sudo pacman -S powerpill** + +
+
+ +**4: Install Reflector** (needs network access) + +*Note: It scripts mirror updating. Grabbing the most up to date gen mirror list. It ranks them by most recently sync'd. Then ranks them on fastest speed. Also can be used by Powerpill config to allow a once stop conf file for all if so wanted.* + +* **$ sudo pacman -S reflector** + + +Note: You can combine package downloads: **$ sudo pacman -S powerpill reflector** + +
+
+ +**5: Backup mirrorlist prior to first running Reflector.** + +Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.org/index.php/Reflector) + +* **$ sudo cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bkup** + +
+
+ +**6: Setup mirrolist with Reflector** (needs network access)** + +*Note: Look at the Reflector page to decide what filter and argument string you wish to run. Below is a default string that will work for most all to setup a working basic mirrorlist. + +*Look to Reflector pages or --help for more info on arug and filters.* + +* **$ sudo reflector --verbose -l 5 --sort rate --save /etc/pacman.d/mirrorlist** + + * The above ranks all the most up to date and sorts for the 5 fastest + + * You can confirm the new list by opening the newly created mirrorlist. + +
+
+ + +**7: Configure Powerpill configuration file to use Qubes Proxy Service** + +* Qubes Proxy Address: **10.137.255.254:8082** + +* Edit **powerpill.json** (powerpill config file) + + * **$ sudo nano -w /etc/powerpill/powerpill.json** + + * Add line '**--all-proxy=10.137.255.254:8082**' at the bottom of the list under the **"aria2"** section under the **"args"** line. Example below: + +
+ + { + "aria2": { + "args": [ + "--allow-overwrite=true", + "--always-resume=false", + "--auto-file-renaming=false", + "--check-integrity=true", + "--conditional-get=true", + "--continue=true", + "--file-allocation=none", + "--log-level=error", + "--max-concurrent-downloads=100", + "--max-connection-per-server=5", + "--min-split-size=5M", + "--remote-time=true", + "--show-console-readout=true", + "--all-proxy=10.137.255.254:8082" + ], + "path": "/usr/bin/aria2c" + }, + +
+
+ +**8: Test Powerpill Configuration** + +*Note: Powerpill uses and passes the same syntax as pacman* + +* Configure Archlinux Template to only use the Qubes Proxy Update Service + * In the Qubes VM Manager under Archlinux FW tab make sure only the access check box for update proxy is on. All others should be set to deny. + +* **$ sudo powerpill -Syu** + + * You should get a similar output as below: + +
+
+ +
+
+ + +**Remember you must open up network access anytime you wish to run the Reflector script to update the mirrorlist. This page will be updated when/if this situation changes.** + + +###**If the above checks out, you can start using your new Archlinux Template**### + +
+
+ + -If you want to help in improving the template, feel free to [contribute](/doc/contributing/). From 44422612329e2bc9f7c5ed42d7b10e1114dea50c Mon Sep 17 00:00:00 2001 From: TimFW Date: Thu, 11 Feb 2016 05:17:54 -0500 Subject: [PATCH 02/37] fix formating and image linking --- managing-os/templates/archlinux.md | 104 ++++++++++++++--------------- 1 file changed, 51 insertions(+), 53 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index 60129ef2..2b37a007 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -19,7 +19,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).
-##Instructions +##Instructions##
**These are the instructions for Qubes 3.1. They will take you step by step thru the entire process start to finish** @@ -29,19 +29,19 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).


-**1: Create and configure VM to use for template building:** +####**1: Create and configure VM to use for template building:**#### * The VM should be based on a Fedora template. It's best to use a standalone VM. I created a standalone VM based on the Fedora 23 template. I named the VM “**development**”. These instructions assume a standalone VM based on a Fedora template is being used.

- +![arch-template-01](/attachment/wiki/ArchlinuxTemplate/arch-template-01.png)

* Ensure there is at least 25GB preferably 30GB of free space in the private storage. I made the private storage 30GB to be safe.

- +![arch-template-02](/attachment/wiki/ArchlinuxTemplate/arch-template-02.png)

@@ -50,19 +50,19 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-**2: Create GitHub Account(optional):** +#####**2: Create GitHub Account(optional):**##### * It can be helpful. Creating only a basic account is all that is needed. This will allow you to help, going forward, with the Qubes project. You could be help edit errors in documentation. It can also be of use building other templates. * Create user account here https://github.com

- +![arch-template-03](/attachment/wiki/ArchlinuxTemplate/arch-template-03.png)


-**3: Install necessary packages in the 'development' VM to use "Qubes Automated Build System":** +#####**3: Install necessary packages to 'development' VM for "Qubes Automated Build System":**##### * Necessary packages to install: @@ -89,19 +89,19 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ sudo dnf install git createrepo rpm-build make wget rpmdevtools python-sh dialog rpm-sign**

- +![arch-template-04](/attachment/wiki/ArchlinuxTemplate/arch-template-04.png)


-**4: Installing the "Qubes Automated Build System":** +#####**4: Installing the "Qubes Automated Build System":**##### * To get the most current build system its best to use marmarek's git repository. * $ **git clone https://github.com/marmarek/qubes-builder.git**

- +![arch-template-05](/attachment/wiki/ArchlinuxTemplate/arch-template-05.png)

@@ -112,7 +112,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-**5: Configuring setup script to create builder.conf file:** +#####**5: Configuring setup script to create builder.conf file:**##### * You will be creating the builder.conf file which tells where and what to use. The most automated, and in in this case the easiest, way to create this is to use the script that is provided in Qubes Builder. Its named '**setup**'. Before running the script you need to edit one file it uses. @@ -125,18 +125,18 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ nano -W qubes-os-master.conf** or **$ gedit qubes-os-master.conf** or etc….

- +![arch-template-06](/attachment/wiki/ArchlinuxTemplate/arch-template-06.png)

* Go to the first line containing '**DIST_VM ?= fc23**' it will be preceeded by line '**DIST_DOM0 ?= fc20**'. Remove '**fc23**' or whatever is listed there leaving only '**DIST_VM ?=**'. Then save the file and close the text editor.

- +![arch-template-07](/attachment/wiki/ArchlinuxTemplate/arch-template-07.png)


-**6: Run the 'setup' script to build the builder.conf file** +#####**6: Run the 'setup' script to build the builder.conf file**##### * Run the 'setup' script located in '**/home/user/qubes-builder/**' Make sure you are in directory '**qubes-builder**' @@ -145,7 +145,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ ./setup**

- +![arch-template-08](/attachment/wiki/ArchlinuxTemplate/arch-template-08.png)

* First screen will ask you to import 'Qubes-Master-Signing-key.asc'. The 'setup' script not only downloads but confirms the key to that of the key on Qubes-OS website. @@ -154,7 +154,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-09](/attachment/wiki/ArchlinuxTemplate/arch-template-09.png)

@@ -164,7 +164,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-10](/attachment/wiki/ArchlinuxTemplate/arch-template-10.png)

@@ -174,7 +174,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-11](/attachment/wiki/ArchlinuxTemplate/arch-template-11.png)

@@ -184,7 +184,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-12](/attachment/wiki/ArchlinuxTemplate/arch-template-12.png)

@@ -199,7 +199,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press **Enter**

- +![arch-template-13](/attachment/wiki/ArchlinuxTemplate/arch-template-13.png)

@@ -212,9 +212,9 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Press '**Enter**'

- +![arch-template-14](/attachment/wiki/ArchlinuxTemplate/arch-template-14.png)
- +![arch-template-15](/attachment/wiki/ArchlinuxTemplate/arch-template-15.png)

@@ -227,39 +227,41 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-16](/attachment/wiki/ArchlinuxTemplate/arch-template-16.png)

*Note: 'Setup' will close and will output the text of the created build.conf file as well as the needed **make** commands to build the template*

- +![arch-template-17](/attachment/wiki/ArchlinuxTemplate/arch-template-17.png)


-**7: Install all the dependencies: (make sure you are in the “qubes-builder” directory to run the following cmds)** +#####**7: Install all the dependencies:**##### + +*Note: make sure you are in the “qubes-builder” directory to run the following cmds* * **$ make install-deps**

- +![arch-template-18](/attachment/wiki/ArchlinuxTemplate/arch-template-18.png)


-**8: Get all the require sources for the build: (Note: this may take some time)** +#####**8: Get all the require sources for the build: (Note: this may take some time)**##### * **$ make get-sources**

- +![arch-template-19](/attachment/wiki/ArchlinuxTemplate/arch-template-19.png)


-**9: Make all the require Qubes Components:** +#####**9: Make all the require Qubes Components:**##### * **Note:** You can run a single command to build all the Qubes components or you can run them each individually. Both ways below: @@ -269,7 +271,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ make qubes-vm**

- +![arch-template-20](/attachment/wiki/ArchlinuxTemplate/arch-template-20.png)

@@ -293,19 +295,18 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).
-**10: Make the actual Archlinux template:** - -* **$ make template** +#####**10: Make the actual Archlinux template:**##### +* **$ make template**

- +![arch-template-21](/attachment/wiki/ArchlinuxTemplate/arch-template-21.png)


-**11: Transfer Template into Dom0** +#####**11: Transfer Template into Dom0**##### * You need to ensure these two files are in the '**noarch**' directory @@ -320,11 +321,9 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ ls** * **qubes-template-archlinux-X.X.X-XXXXXXXXXXXX.noarch.rpm** (this is the template package 'X' replaces version and build digits) - -

- +![arch-template-22](/attachment/wiki/ArchlinuxTemplate/arch-template-22.png)

@@ -341,29 +340,28 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ sudo qvm-run --pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh** * **$ sudo qvm-run pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/noarch/qubes-template.archlinux-3.0.4-201512290227.noarch.rpm' > /home/user/Templates/qubes-template-archlinux-3.0.4-201512290227.noarch.rpm** -

- +![arch-template-23](/attachment/wiki/ArchlinuxTemplate/arch-template-23.png)

- +![arch-template-24](/attachment/wiki/ArchlinuxTemplate/arch-template-24.png)

- +![arch-template-25](/attachment/wiki/ArchlinuxTemplate/arch-template-25.png)



-**If everything went correct there should be a Archlinux template listed in your Qubes VM Manager** +#####**If everything went correct there should be a Archlinux template listed in your Qubes VM Manager**#####


--------------- -#**Package Manager Proxy Setup Section** +##**Package Manager Proxy Setup Section**## One last thing to setup to have a "PROPERLY" functioning archlinux template. @@ -386,7 +384,7 @@ Please check out:

-**1: Editing Pacman's configuration file (pacman.conf)** +#####**1: Editing Pacman's configuration file (pacman.conf)**##### * Open archlinux terminal app @@ -535,7 +533,7 @@ The addition of the above xrne-x86_64 repo is needed for the repo that contains

-**2: Setting Up GPG** (needs network access) +#####**2: Setting Up GPG** (needs network access)##### * Initialize GPG Keyring @@ -552,14 +550,14 @@ The addition of the above xrne-x86_64 repo is needed for the repo that contains

-**3: Install Powerpill (Pacman wrapper)** (needs network access) +#####**3: Install Powerpill (Pacman wrapper)** (needs network access)##### * **$ sudo pacman -S powerpill**

-**4: Install Reflector** (needs network access) +#####**4: Install Reflector** (needs network access)##### *Note: It scripts mirror updating. Grabbing the most up to date gen mirror list. It ranks them by most recently sync'd. Then ranks them on fastest speed. Also can be used by Powerpill config to allow a once stop conf file for all if so wanted.* @@ -571,7 +569,7 @@ Note: You can combine package downloads: **$ sudo pacman -S powerpill reflector

-**5: Backup mirrorlist prior to first running Reflector.** +#####**5: Backup mirrorlist prior to first running Reflector.**##### Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.org/index.php/Reflector) @@ -580,7 +578,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

-**6: Setup mirrolist with Reflector** (needs network access)** +#####**6: Setup mirrolist with Reflector** (needs network access)**##### *Note: Look at the Reflector page to decide what filter and argument string you wish to run. Below is a default string that will work for most all to setup a working basic mirrorlist. @@ -596,7 +594,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.
-**7: Configure Powerpill configuration file to use Qubes Proxy Service** +#####**7: Configure Powerpill configuration file to use Qubes Proxy Service**##### * Qubes Proxy Address: **10.137.255.254:8082** @@ -632,7 +630,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

-**8: Test Powerpill Configuration** +#####**8: Test Powerpill Configuration**##### *Note: Powerpill uses and passes the same syntax as pacman* @@ -645,7 +643,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

- +![arch-template-26](/attachment/wiki/ArchlinuxTemplate/arch-template-26.png)

From 8be506c7193f56528c9d6ea6f1b216fbfbe60dda Mon Sep 17 00:00:00 2001 From: TimFW Date: Thu, 11 Feb 2016 06:08:01 -0500 Subject: [PATCH 03/37] Fix issues * Fixed: line 191 - typo * Fixed: line 342 - removed the rpm transfer line 351 - removed corresponding image-25 * Still Open: line 402-523 - denoting pacman.conf lines that need to be changed within the entire file output. --- managing-os/templates/archlinux.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index 2b37a007..ddbadc70 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -188,7 +188,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

- * Screen '**Builder Plugin Selection**' will gives choices of builder plugins to use for the build. + * Screen '**Builder Plugin Selection**' will give choices of builder plugins to use for the build. * Deselect '**Fedora**' @@ -327,19 +327,18 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-* **Transfer the two files into Dom0** +* **Transfer the install-templates.sh script file into Dom0** *Note: as there is not a typical file transfer method for Dom0, for security reasons, this less than simple transfer function has to be used* * Swtich to Domo and open a terminal window. - **Note:** Take care when entering these cmd strings. They are very long and have a number of characters that are easy to mix '**-**' vs '**.**' '**Templates** (correct) vs **templates** (wrong) or **Template_**'(also wrong) + **Note:** Take care when entering these cmd strings. They are very long and have a number of characters that are easy to mix '**-**' vs '**.**' '**Templates** (correct) vs **templates** (wrong) or **Template_**'(also wrong) This script will also take care of transfering the actual template.rpm to Dom0 as well. * **$ cd /** * **$ sudo qvm-run --pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh** - * **$ sudo qvm-run pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/noarch/qubes-template.archlinux-3.0.4-201512290227.noarch.rpm' > /home/user/Templates/qubes-template-archlinux-3.0.4-201512290227.noarch.rpm**

![arch-template-23](/attachment/wiki/ArchlinuxTemplate/arch-template-23.png) @@ -348,9 +347,6 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). ![arch-template-24](/attachment/wiki/ArchlinuxTemplate/arch-template-24.png)

-![arch-template-25](/attachment/wiki/ArchlinuxTemplate/arch-template-25.png) -
-


From a8cabf6c5c56b5afb356d3c552960c41ba7c6203 Mon Sep 17 00:00:00 2001 From: TimFW Date: Thu, 11 Feb 2016 22:27:43 -0500 Subject: [PATCH 04/37] Fix issues * Denoted the edited lines in the pacman.conf output * Added 'known issues' and 'want to contribute' sections * For image links I followed the path format used in the doc-guidelines.md ( know the images show up in the webpage when its live but links in the actual .md file thru github) * Fixed a couple format and typos Is there anything else that should be edited? --- managing-os/templates/archlinux.md | 281 ++++++++++++++++------------- 1 file changed, 153 insertions(+), 128 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index ddbadc70..fa67d643 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -395,138 +395,138 @@ Please check out:
- # - # /etc/pacman.conf - # - # See the pacman.conf(5) manpage for option and repository directives - - # - # GENERAL OPTIONS - # - [options] - # The following paths are commented out with their default values listed. - # If you wish to use different paths, uncomment and update the paths. - #RootDir = / - #DBPath = /var/lib/pacman/ - #CacheDir = /var/cache/pacman/pkg/ - #LogFile = /var/log/pacman.log - GPGDir = /etc/pacman.d/gnupg/ - HoldPkg = pacman glibc - #XferCommand = /usr/bin/curl -C - -f %u > %o - #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u - #CleanMethod = KeepInstalled - #UseDelta = 0.7 - Architecture = auto - - # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup - #IgnorePkg = - #IgnoreGroup = - #NoUpgrade = - NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio - #NoExtract = - - # Misc options - #UseSyslog - #Color - #TotalDownload - CheckSpace - #VerbosePkgLists - - # By default, pacman accepts packages signed by keys that its local keyring - # trusts (see pacman-key and its man page), as well as unsigned packages. - #SigLevel = Required DatabaseOptional - LocalFileSigLevel = Optional - #RemoteFileSigLevel = Required - - # NOTE: You must run `pacman-key --init` before first using pacman; the local - # keyring can then be populated with the keys of all official Arch Linux - # packagers with `pacman-key --populate archlinux`. - - # - # REPOSITORIES - # - can be defined here or included from another file - # - pacman will search repositories in the order defined here - # - local/custom mirrors can be added here or in separate files - # - repositories listed first will take precedence when packages - # have identical names, regardless of version number - # - URLs will have $repo replaced by the name of the current repo - # - URLs will have $arch replaced by the name of the architecture - # - # Repository entries are of the format: - # [repo-name] - # Server = ServerName - # Include = IncludePath - # - # The header [repo-name] is crucial - it must be present and - # uncommented to enable the repo. - # - - # The testing repositories are disabled by default. To enable, uncomment the - # repo name header and Include lines. You can add preferred servers immediately - # after the header, and they will be used before the default mirrors. - - #[testing] - #SigLevel = PackageRequired - #Include = /etc/pacman.d/mirrorlist - - [core] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - [extra] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - #[community-testing] - #SigLevel = PackageRequired - #Include = /etc/pacman.d/mirrorlist - - [community] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - # If you want to run 32 bit applications on your x86_64 system, - # enable the multilib repositories as required here. - - #[multilib-testing] - #Include = /etc/pacman.d/mirrorlist - - #[multilib] - #Include = /etc/pacman.d/mirrorlist - - # An example of a custom package repository. See the pacman manpage for - # tips on creating your own repositories. - #[custom] - #SigLevel = Optional TrustAll - #Server = file:///home/custompkgs - - [multilib] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - #[qubes] - #commented out as it errors and is not current - #Server = http://olivier.medoc.free.fr/archlinux/pkgs/ - - [xyne-x86_64] - # Added to download powerpill app - # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ - # Packages for the "x86_64" architecture. - # Note that this includes all packages in [xyne-any]. - SigLevel = Required - Server = http://xyne.archlinux.ca/repos/xyne - - #end of file - + # /etc/pacman.conf + # + # See the pacman.conf(5) manpage for option and repository directives + + # + # GENERAL OPTIONS + # + [options] + # The following paths are commented out with their default values listed. + # If you wish to use different paths, uncomment and update the paths. + #RootDir = / + #DBPath = /var/lib/pacman/ + #CacheDir = /var/cache/pacman/pkg/ + #LogFile = /var/log/pacman.log + GPGDir = /etc/pacman.d/gnupg/ + HoldPkg = pacman glibc + #XferCommand = /usr/bin/curl -C - -f %u > %o + #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u + #CleanMethod = KeepInstalled + #UseDelta = 0.7 + Architecture = auto + # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup + #IgnorePkg = + #IgnoreGroup = + #NoUpgrade = + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + #NoExtract = -
+ # Misc options + #UseSyslog + #Color + #TotalDownload + CheckSpace + #VerbosePkgLists -The addition of the above xrne-x86_64 repo is needed for the repo that contains powerpill. + # By default, pacman accepts packages signed by keys that its local keyring + # trusts (see pacman-key and its man page), as well as unsigned packages. +**Edited Line:** `#SigLevel = Required DatabaseOptional` + + LocalFileSigLevel = Optional + #RemoteFileSigLevel = Required + + # NOTE: You must run `pacman-key --init` before first using pacman; the local + # keyring can then be populated with the keys of all official Arch Linux + # packagers with `pacman-key --populate archlinux`. + + # + # REPOSITORIES + # - can be defined here or included from another file + # - pacman will search repositories in the order defined here + # - local/custom mirrors can be added here or in separate files + # - repositories listed first will take precedence when packages + # have identical names, regardless of version number + # - URLs will have $repo replaced by the name of the current repo + # - URLs will have $arch replaced by the name of the architecture + # + # Repository entries are of the format: + # [repo-name] + # Server = ServerName + # Include = IncludePath + # + # The header [repo-name] is crucial - it must be present and + # uncommented to enable the repo. + # + + # The testing repositories are disabled by default. To enable, uncomment the + # repo name header and Include lines. You can add preferred servers immediately + # after the header, and they will be used before the default mirrors. + + #[testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [core] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + + [extra] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + + #[community-testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [community] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + + # If you want to run 32 bit applications on your x86_64 system, + # enable the multilib repositories as required here. + + #[multilib-testing] + #Include = /etc/pacman.d/mirrorlist + + #[multilib] + #Include = /etc/pacman.d/mirrorlist + + # An example of a custom package repository. See the pacman manpage for + # tips on creating your own repositories. + #[custom] + #SigLevel = Optional TrustAll + #Server = file:///home/custompkgs + + [multilib] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + +**Edited Line:** `#[qubes]` + +**Edited Line:** `#Server = http://olivier.medoc.free.fr/archlinux/pkgs/` + +**Add Section Below:** + + [xyne-x86_64] + # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ + # Packages for the "x86_64" architecture. + # Added for PowerPill app + # Note that this includes all packages in [xyne-any]. + SigLevel = Required + Server = http://xyne.archlinux.ca/repos/xyne + +---------- -
-

#####**2: Setting Up GPG** (needs network access)##### @@ -537,7 +537,7 @@ The addition of the above xrne-x86_64 repo is needed for the repo that contains * Populate the keyring with Archlinux master keys - * **$ sudo pacmna-key --populate archlinux** + * **$ sudo pacman-key --populate archlinux** * Confirm keys with those at [Archlinux Master Keys](https://www.archlinux.org/master-keys/) @@ -652,5 +652,30 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

+####**Known Issues:**#### +* If there is an Arch upgrade of Pulse Audio it will require rebuilding and installing Qubes component: gui-agent-linux +* There May also be a similar issue of dependencies with Xorg. + +* Upgrade Relfector functionality to allow its use thru the QUPS + +* Pacman functionality changes and allows it to be directly configured to work thru QUPS. + +
+ +####**Qubes Mailing List Threads on the Archlinux build process:**#### + +* [Qubes-Devel](https://groups.google.com/forum/#!forum/qubes-devel): [Qubes Builder failed Archlinux repository is missing](https://groups.google.com/forum/#!topic/qubes-devel/tIFkS-rPVx8) + +* [Qubes-Users](https://groups.google.com/forum/#!forum/qubes-users): [Trying to compile archlinux template](https://groups.google.com/forum/#!topic/qubes-users/7wuwr3LgkQQ) + +
+ +####**Want to contribute?**#### + +* [How can I contribute to the Qubes Project?](/doc/contributing/) + +* [Guidelines for Documentation Contributors](doc/doc-guidelines/) + +
From 1bb7fed2979a2b5f0c852583220be91469c938b4 Mon Sep 17 00:00:00 2001 From: antitree Date: Sun, 14 Feb 2016 14:50:31 -0500 Subject: [PATCH 05/37] Suggestion to show how to uninstall a package I just had an issue installing anti-evil-maid and couldn't find documentation on how to remove it. Looking at the source I think this is the expected way (which worked for me). --- common-tasks/software-update-dom0.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md index d521ab56..323e0d9e 100644 --- a/common-tasks/software-update-dom0.md +++ b/common-tasks/software-update-dom0.md @@ -66,6 +66,14 @@ Of course, command line tools are still available for accomplishing various upda sudo yum downgrade package-version ~~~ +### How to uninstall a package + +If you've installed a package such as anti-evil-maid, you can remove it with the following command: + + ~~~ + sudo qubes-dom0-update action=remove anti-evil-maid + ~~~ + ### Kernel Upgrade ### Install newer kernel. The following example installs kernel 3.19 and was tested on Qubes R3 RC1. From d2a97d253c211f5af3565a21f7ea91f7c8df6b47 Mon Sep 17 00:00:00 2001 From: Michael Carbone Date: Wed, 17 Feb 2016 12:38:12 -0500 Subject: [PATCH 06/37] dnf -> yum f21 errors on using dnf because it is not yet the default package manager. --- installing/upgrade-to-r3.1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installing/upgrade-to-r3.1.md b/installing/upgrade-to-r3.1.md index 0b04d361..136b3088 100644 --- a/installing/upgrade-to-r3.1.md +++ b/installing/upgrade-to-r3.1.md @@ -38,11 +38,11 @@ section should be repeated in **all** the user's Template and Standalone VMs. 2. Install the `qubes-upgrade-vm` package: - sudo dnf install --enablerepo=qubes-vm-r3.0-current-testing qubes-upgrade-vm + sudo yum install --enablerepo=qubes-vm-r3.0-current-testing qubes-upgrade-vm 3. Proceed with a normal upgrade in the template: - sudo dnf upgrade + sudo yum upgrade 4. Shut down the template VM. From 40c1864e233a9853c4311a4eeb9fcaa384187720 Mon Sep 17 00:00:00 2001 From: youknow0 Date: Wed, 17 Feb 2016 20:25:52 +0100 Subject: [PATCH 07/37] Fix link to disposable VM customization Fix the link to the disposable customization page (excess dash sign) --- common-tasks/dispvm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md index bb44e01c..1f5af78c 100644 --- a/common-tasks/dispvm.md +++ b/common-tasks/dispvm.md @@ -74,7 +74,7 @@ Customizing Disposable VMs --------------------------------------------------------- You can change the template used to generate the Disposable VM, and change settings used in the Disposable VM savefile. These changes will be reflected in every new Disposable VM. -Full instructions are [here](/doc/disp-vm-customization/) +Full instructions are [here](/doc/dispvm-customization/) Disposable VMs and Local Forensics From b49c2ee65e7a777dd8cdee565a81afe1a1e393ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 17 Feb 2016 21:30:07 +0100 Subject: [PATCH 08/37] Update 3.1-rc3 release date --- releases/3.1/schedule.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releases/3.1/schedule.md b/releases/3.1/schedule.md index 16fc5bf6..296ca3e0 100644 --- a/releases/3.1/schedule.md +++ b/releases/3.1/schedule.md @@ -26,4 +26,4 @@ article td, article th { | 12 Jan 2016 | 3.1-rc2 release | | 26 Jan 2016 | decide whether 3.1-rc2 is the final 3.1 | | 9 Feb 2016 | current-testing freeze before 3.1-rc3 | -| 16 Feb 2016 | 3-1-rc3 release | +| 16 Feb 2016
23 Feb 2016 | 3.1-rc3 release | From 4bf6712bf5098aee90be51c60e4c99bafb00e530 Mon Sep 17 00:00:00 2001 From: Michael Carbone Date: Fri, 19 Feb 2016 07:31:59 -0500 Subject: [PATCH 09/37] fixed link to Whonix, called torvm depreciated --- privacy/torvm.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/privacy/torvm.md b/privacy/torvm.md index 0c418ba1..07bf9c63 100644 --- a/privacy/torvm.md +++ b/privacy/torvm.md @@ -17,8 +17,8 @@ Known issues: Qubes TorVM (qubes-tor) ========================== -Qubes TorVM is a ProxyVM service that provides torified networking to all its -clients. +Qubes TorVM is a depreciated ProxyVM service that provides torified networking to all its +clients. **If you are interested in TorVM, you will find the [Whonix implementation in Qubes](https://www.qubes-os.org/doc/privacy/whonix/) a more usable and robust solution for creating a torifying traffic proxy.** By default, any AppVM using the TorVM as its NetVM will be fully torified, so even applications that are not Tor aware will be unable to access the outside @@ -32,8 +32,6 @@ All non-DNS UDP and IPv6 traffic is silently dropped. See [this article](http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html) for a description of the concept, architecture, and the original implementation. -**If you are interested TorVM, you may find the [Whonix gateway template](https://www.qubes-os.org/doc/templates/whonix/) in Qubes a more usable and robust solution for creating a torifying traffic proxy.** - ## Warning + Disclaimer 1. Qubes TorVM is produced independently from the Tor(R) anonymity software and From f565895b026b956127938098d5988aa340fcb23f Mon Sep 17 00:00:00 2001 From: Axon Date: Fri, 19 Feb 2016 16:10:13 +0000 Subject: [PATCH 10/37] Fix typo and line wrapping --- privacy/torvm.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/privacy/torvm.md b/privacy/torvm.md index 07bf9c63..62603475 100644 --- a/privacy/torvm.md +++ b/privacy/torvm.md @@ -17,8 +17,10 @@ Known issues: Qubes TorVM (qubes-tor) ========================== -Qubes TorVM is a depreciated ProxyVM service that provides torified networking to all its -clients. **If you are interested in TorVM, you will find the [Whonix implementation in Qubes](https://www.qubes-os.org/doc/privacy/whonix/) a more usable and robust solution for creating a torifying traffic proxy.** +Qubes TorVM is a deprecated ProxyVM service that provides torified networking to +all its clients. **If you are interested in TorVM, you will find the +[Whonix implementation in Qubes](https://www.qubes-os.org/doc/privacy/whonix/) a +more usable and robust solution for creating a torifying traffic proxy.** By default, any AppVM using the TorVM as its NetVM will be fully torified, so even applications that are not Tor aware will be unable to access the outside From 412b5f929f5b53d044a221dd833488117a90fdb9 Mon Sep 17 00:00:00 2001 From: TimFW Date: Mon, 8 Feb 2016 19:04:55 -0500 Subject: [PATCH 11/37] Add full instructions for Archlnux Template build Replaced short orginal intro and link to the dated developer's section template example with step by step instructions as discussed in the devel mailing list. I have reviewed the steps and checked the text but please review and make any changes/corrections as needed. --- managing-os/templates/archlinux.md | 650 ++++++++++++++++++++++++++++- 1 file changed, 635 insertions(+), 15 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index d7e61f21..60129ef2 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -16,27 +16,647 @@ be considered experimental as Qubes developers team use mainly Fedora-based VMs to test new features/updates. Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). -He also provides binary updates for the template, which are signed using this -key: - pub 2048R/C1833B9C 2014-03-27 [expires: 2016-03-26] - Key fingerprint = D85E E12F 9678 51CC F433 515A 2043 E7AC C183 3B9C - uid Olivier MEDOC (Qubes-OS signing key) +
+ +##Instructions + +
+**These are the instructions for Qubes 3.1. They will take you step by step thru the entire process start to finish** + +*Note: Currently there are no binary packages and it must be compiled from source using the instructions below.* + +
+
+
+**1: Create and configure VM to use for template building:** + +* The VM should be based on a Fedora template. It's best to use a standalone VM. I created a standalone VM based on + the Fedora 23 template. I named the VM “**development**”. These instructions assume a standalone VM based on a Fedora template is being used. +
+
+ +
+
+* Ensure there is at least 25GB preferably 30GB of free space in the private storage. I made the private storage 30GB to be safe. +
+
+ +
+
+ +*Note: Unless otherwise noted, all commands are from within the “development” VM or whatever you named your standalone VM used for building the template.* +
+
+
+ +**2: Create GitHub Account(optional):** + +* It can be helpful. Creating only a basic account is all that is needed. This will allow you to help, going forward, with the Qubes project. You could be help edit errors in documentation. It can also be of use building other templates. + +* Create user account here https://github.com +
+
+ +
+
+
+ +**3: Install necessary packages in the 'development' VM to use "Qubes Automated Build System":** + +* Necessary packages to install: + + * git + + * createrepo + + * rpm-build + + * make + + * rpmdevtools + + * python-sh + + * dailog + + * rpm-sign +
-Install -------- +* The tools can usually be installed all together with the following terminal command string: -Currently we do not ship ready to use binary package. It can be compiled using -[this instructions](/doc/building-archlinux-template/). + * **$ sudo dnf install git createrepo rpm-build make wget rpmdevtools python-sh dialog rpm-sign** +
+
+ +
+
+
-Olivier provides binary package build by himself, you can get it for: -* Qubes R2 [here](https://groups.google.com/d/msgid/qubes-devel/54CE3FB1.3050708%40yahoo.fr). -* Qubes R3 [here](https://groups.google.com/d/msg/qubes-users/RI3KQVEEc30/h5nsNw_SHTQJ) +**4: Installing the "Qubes Automated Build System":** + +* To get the most current build system its best to use marmarek's git repository. + + * $ **git clone https://github.com/marmarek/qubes-builder.git** +
+
+ +
+
+ +* You will now have the Qubes Builder System enviornment installed in the directory below: + + * **/home/user/qubes-builder** +
+
+
+ +**5: Configuring setup script to create builder.conf file:** + +* You will be creating the builder.conf file which tells where and what to use. The most automated, and in in this case the easiest, way to create this is to use the script that is provided in Qubes Builder. Its named '**setup**'. Before running the script you need to edit one file it uses. + + *In the future this should not be needed once a change is made to the 'setup' script.* + + * Edit the '**qubes-os-master.conf**' which is found in **/home/user/qubes-builder/example-configs** Use the text editor of your choice. + + * **$ cd /home/user/qubes-builder/example-config/** + + * **$ nano -W qubes-os-master.conf** or **$ gedit qubes-os-master.conf** or etc…. +
+
+ +
+
+ * Go to the first line containing '**DIST_VM ?= fc23**' it will be preceeded by line '**DIST_DOM0 ?= fc20**'. Remove '**fc23**' or whatever is listed there leaving only '**DIST_VM ?=**'. Then save the file and close the text editor. +
+
+ +
+
+
+ +**6: Run the 'setup' script to build the builder.conf file** + +* Run the 'setup' script located in '**/home/user/qubes-builder/**' Make sure you are in directory '**qubes-builder**' + + * **$ cd /home/user/qubes-builder/** + + * **$ ./setup** +
+
+ +
+
+ * First screen will ask you to import 'Qubes-Master-Signing-key.asc'. The 'setup' script not only downloads but confirms the key to that of the key on Qubes-OS website. + + * Select '**YES**' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * Next screen will ask you to import Marek Marczykowski-Goracki (Qubes OS signing key). Again 'setup' will confirm this key to the fingerprint. + + * Select '**YES**' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * This screen will give you the choice of which Qubes Release to build the template for. + + * Select '**Qubes Release 3.1**' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * Screen "**Choose Repos To Use To Build Packages**" + + * Select 'marmarek/qubes- Unstable-Bleeding Edge for Development' + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + * Screen '**Builder Plugin Selection**' will gives choices of builder plugins to use for the build. + + * Deselect '**Fedora**' + + * Deselect '**mgnt_salt**' + + * Select '**archlinux**' + + * Select '**OK**' Press **Enter** +
+
+ +
+
+ + * Screen '**Get Resources**' wants to download additional packages needed for the choosen plugin/s. + + * Select '**OK**' Prss '**Enter**' + + * Upon completion you will get choose '**OK**' to proceed to the next screen + + * Press '**Enter**' +
+
+ +
+ +
+
+ + * Screen '**Template Distribution Selection**' allows you to choose the actual template/s you wish to build. + + * Scroll Down to the very bottom (it is off the screen at first) + + * Select '**archlinux**' + + * Select '**OK**' Press '**Enter**' +
+
+ +
+
+ + *Note: 'Setup' will close and will output the text of the created build.conf file as well as the needed **make** commands to build the template* +
+
+ +
+
+
+ +**7: Install all the dependencies: (make sure you are in the “qubes-builder” directory to run the following cmds)** + +* **$ make install-deps** +
+
+ +
+
+
+ +**8: Get all the require sources for the build: (Note: this may take some time)** + +* **$ make get-sources** +
+
+ +
+
+
+ +**9: Make all the require Qubes Components:** + +* **Note:** You can run a single command to build all the Qubes components or you can run them each individually. + Both ways below: + + * Single command to build all Qubes components together: (this command can take a long time to process depending of your pc proccessing power) + + * **$ make qubes-vm** +
+
+ +
+
+ + + * These are the indivual component 'make' commands: + + * **$ make vmm-xen-vm** + + * **$ make core-vchan-xen-vm** + + * **$ make core-qubesdb-vm** + + * **$ make linux-utils-vm** + + * **$ make core-agent-linux-vm** + + * **$ make gui-common-vm** + + * **$ make gui-agent-linux-vm** +
+
+ + +**10: Make the actual Archlinux template:** + +* **$ make template** + +
+
+ +
+
+
+ + +**11: Transfer Template into Dom0** + +* You need to ensure these two files are in the '**noarch**' directory + + * **$ cd /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/** + + * **$ ls** *(confirm the below two files are there)* + + * **install-templates.sh** (script to install template in dom0) + + * **$ cd noarch** + + * **$ ls** + + * **qubes-template-archlinux-X.X.X-XXXXXXXXXXXX.noarch.rpm** (this is the template package 'X' replaces version and build digits) + + +
+
+ +
+
+ +* **Transfer the two files into Dom0** + *Note: as there is not a typical file transfer method for Dom0, for security reasons, this less than simple transfer function has to be used* + + * Swtich to Domo and open a terminal window. + + **Note:** Take care when entering these cmd strings. They are very long and have a number of characters that are easy to mix '**-**' vs '**.**' '**Templates** (correct) vs **templates** (wrong) or **Template_**'(also wrong) + + + * **$ cd /** + + * **$ sudo qvm-run --pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh** + + * **$ sudo qvm-run pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/noarch/qubes-template.archlinux-3.0.4-201512290227.noarch.rpm' > /home/user/Templates/qubes-template-archlinux-3.0.4-201512290227.noarch.rpm** + +
+
+ +
+
+ +
+
+ +
+
+
+
+ +**If everything went correct there should be a Archlinux template listed in your Qubes VM Manager** + +
+
+
+--------------- + +#**Package Manager Proxy Setup Section** + + +One last thing to setup to have a "PROPERLY" functioning archlinux template. + +Archlinux package manager Pacman is a fine package mangers execpt that we could not find a way to configure it to use the Qubes Update Proxy Service (QUPS) that would compliy with Qubes QUPS usage policy. + +*If someone does find a way please post to the Qubes-Users or Devel google groups mailing list.* + +Powerpill is a full Pacman wrapper that not only give easy proxy configuration but futher offers numerous other advantages. + +Please check out: + +[Archlinux Powerpill](https://wiki.archlinux.org/index.php/powerpill) + +[XYNE's (dev) Powerpill](http://xyne.archlinux.ca/projects/powerpill/) + + +**Important Note:** Until Powerpill is configured you will have to open network access to the template to get the intial packages etc downloaded. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services thru the same window. Remember to change it back if you choose the later route. Actions needing network access will be noted with (needs network access) + +
+
+ +**1: Editing Pacman's configuration file (pacman.conf)** + +* Open archlinux terminal app + +* edit /etc/pacman.conf + +* **$ sudo nano -w /etc/pacman.conf** + +* Below is the output of a correct pacman.conf file Make the changes so your file matches this one or rename the orginal and create a new one and copy and paste this text into it. Text should be justifed left in the file. The changes from your default are to make gpg sig signing mandatory for packages but not required for DBs for the archlinux repos. Also to add the repo (at the end) for the Powerpill package. + + +
+
+ + + # + # /etc/pacman.conf + # + # See the pacman.conf(5) manpage for option and repository directives + + # + # GENERAL OPTIONS + # + [options] + # The following paths are commented out with their default values listed. + # If you wish to use different paths, uncomment and update the paths. + #RootDir = / + #DBPath = /var/lib/pacman/ + #CacheDir = /var/cache/pacman/pkg/ + #LogFile = /var/log/pacman.log + GPGDir = /etc/pacman.d/gnupg/ + HoldPkg = pacman glibc + #XferCommand = /usr/bin/curl -C - -f %u > %o + #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u + #CleanMethod = KeepInstalled + #UseDelta = 0.7 + Architecture = auto + + # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup + #IgnorePkg = + #IgnoreGroup = + #NoUpgrade = + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + #NoExtract = + + # Misc options + #UseSyslog + #Color + #TotalDownload + CheckSpace + #VerbosePkgLists + + # By default, pacman accepts packages signed by keys that its local keyring + # trusts (see pacman-key and its man page), as well as unsigned packages. + #SigLevel = Required DatabaseOptional + LocalFileSigLevel = Optional + #RemoteFileSigLevel = Required + + # NOTE: You must run `pacman-key --init` before first using pacman; the local + # keyring can then be populated with the keys of all official Arch Linux + # packagers with `pacman-key --populate archlinux`. + + # + # REPOSITORIES + # - can be defined here or included from another file + # - pacman will search repositories in the order defined here + # - local/custom mirrors can be added here or in separate files + # - repositories listed first will take precedence when packages + # have identical names, regardless of version number + # - URLs will have $repo replaced by the name of the current repo + # - URLs will have $arch replaced by the name of the architecture + # + # Repository entries are of the format: + # [repo-name] + # Server = ServerName + # Include = IncludePath + # + # The header [repo-name] is crucial - it must be present and + # uncommented to enable the repo. + # + + # The testing repositories are disabled by default. To enable, uncomment the + # repo name header and Include lines. You can add preferred servers immediately + # after the header, and they will be used before the default mirrors. + + #[testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [core] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + [extra] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + #[community-testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [community] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + # If you want to run 32 bit applications on your x86_64 system, + # enable the multilib repositories as required here. + + #[multilib-testing] + #Include = /etc/pacman.d/mirrorlist + + #[multilib] + #Include = /etc/pacman.d/mirrorlist + + # An example of a custom package repository. See the pacman manpage for + # tips on creating your own repositories. + #[custom] + #SigLevel = Optional TrustAll + #Server = file:///home/custompkgs + + [multilib] + SigLevel = PackageRequired + Include = /etc/pacman.d/mirrorlist + + #[qubes] + #commented out as it errors and is not current + #Server = http://olivier.medoc.free.fr/archlinux/pkgs/ + + [xyne-x86_64] + # Added to download powerpill app + # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ + # Packages for the "x86_64" architecture. + # Note that this includes all packages in [xyne-any]. + SigLevel = Required + Server = http://xyne.archlinux.ca/repos/xyne + + #end of file + -Known issues ------------- +
+ +The addition of the above xrne-x86_64 repo is needed for the repo that contains powerpill. + +
+
+
+ +**2: Setting Up GPG** (needs network access) + +* Initialize GPG Keyring + + * **$ sudo pacman-key --init** + +* Populate the keyring with Archlinux master keys + + * **$ sudo pacmna-key --populate archlinux** + + * Confirm keys with those at [Archlinux Master Keys](https://www.archlinux.org/master-keys/) + + * For more information on Pacman key sigining: [Pacman Package Key Signing](https://wiki.archlinux.org/index.php/Pacman/Package_signing) + +
+
+ +**3: Install Powerpill (Pacman wrapper)** (needs network access) + +* **$ sudo pacman -S powerpill** + +
+
+ +**4: Install Reflector** (needs network access) + +*Note: It scripts mirror updating. Grabbing the most up to date gen mirror list. It ranks them by most recently sync'd. Then ranks them on fastest speed. Also can be used by Powerpill config to allow a once stop conf file for all if so wanted.* + +* **$ sudo pacman -S reflector** + + +Note: You can combine package downloads: **$ sudo pacman -S powerpill reflector** + +
+
+ +**5: Backup mirrorlist prior to first running Reflector.** + +Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.org/index.php/Reflector) + +* **$ sudo cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bkup** + +
+
+ +**6: Setup mirrolist with Reflector** (needs network access)** + +*Note: Look at the Reflector page to decide what filter and argument string you wish to run. Below is a default string that will work for most all to setup a working basic mirrorlist. + +*Look to Reflector pages or --help for more info on arug and filters.* + +* **$ sudo reflector --verbose -l 5 --sort rate --save /etc/pacman.d/mirrorlist** + + * The above ranks all the most up to date and sorts for the 5 fastest + + * You can confirm the new list by opening the newly created mirrorlist. + +
+
+ + +**7: Configure Powerpill configuration file to use Qubes Proxy Service** + +* Qubes Proxy Address: **10.137.255.254:8082** + +* Edit **powerpill.json** (powerpill config file) + + * **$ sudo nano -w /etc/powerpill/powerpill.json** + + * Add line '**--all-proxy=10.137.255.254:8082**' at the bottom of the list under the **"aria2"** section under the **"args"** line. Example below: + +
+ + { + "aria2": { + "args": [ + "--allow-overwrite=true", + "--always-resume=false", + "--auto-file-renaming=false", + "--check-integrity=true", + "--conditional-get=true", + "--continue=true", + "--file-allocation=none", + "--log-level=error", + "--max-concurrent-downloads=100", + "--max-connection-per-server=5", + "--min-split-size=5M", + "--remote-time=true", + "--show-console-readout=true", + "--all-proxy=10.137.255.254:8082" + ], + "path": "/usr/bin/aria2c" + }, + +
+
+ +**8: Test Powerpill Configuration** + +*Note: Powerpill uses and passes the same syntax as pacman* + +* Configure Archlinux Template to only use the Qubes Proxy Update Service + * In the Qubes VM Manager under Archlinux FW tab make sure only the access check box for update proxy is on. All others should be set to deny. + +* **$ sudo powerpill -Syu** + + * You should get a similar output as below: + +
+
+ +
+
+ + +**Remember you must open up network access anytime you wish to run the Reflector script to update the mirrorlist. This page will be updated when/if this situation changes.** + + +###**If the above checks out, you can start using your new Archlinux Template**### + +
+
+ + -If you want to help in improving the template, feel free to [contribute](/doc/contributing/). From de65095c4eeb3cc36eca81009e604881b2d1c8f2 Mon Sep 17 00:00:00 2001 From: TimFW Date: Thu, 11 Feb 2016 05:17:54 -0500 Subject: [PATCH 12/37] fix formating and image linking --- managing-os/templates/archlinux.md | 104 ++++++++++++++--------------- 1 file changed, 51 insertions(+), 53 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index 60129ef2..2b37a007 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -19,7 +19,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).
-##Instructions +##Instructions##
**These are the instructions for Qubes 3.1. They will take you step by step thru the entire process start to finish** @@ -29,19 +29,19 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).


-**1: Create and configure VM to use for template building:** +####**1: Create and configure VM to use for template building:**#### * The VM should be based on a Fedora template. It's best to use a standalone VM. I created a standalone VM based on the Fedora 23 template. I named the VM “**development**”. These instructions assume a standalone VM based on a Fedora template is being used.

- +![arch-template-01](/attachment/wiki/ArchlinuxTemplate/arch-template-01.png)

* Ensure there is at least 25GB preferably 30GB of free space in the private storage. I made the private storage 30GB to be safe.

- +![arch-template-02](/attachment/wiki/ArchlinuxTemplate/arch-template-02.png)

@@ -50,19 +50,19 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-**2: Create GitHub Account(optional):** +#####**2: Create GitHub Account(optional):**##### * It can be helpful. Creating only a basic account is all that is needed. This will allow you to help, going forward, with the Qubes project. You could be help edit errors in documentation. It can also be of use building other templates. * Create user account here https://github.com

- +![arch-template-03](/attachment/wiki/ArchlinuxTemplate/arch-template-03.png)


-**3: Install necessary packages in the 'development' VM to use "Qubes Automated Build System":** +#####**3: Install necessary packages to 'development' VM for "Qubes Automated Build System":**##### * Necessary packages to install: @@ -89,19 +89,19 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ sudo dnf install git createrepo rpm-build make wget rpmdevtools python-sh dialog rpm-sign**

- +![arch-template-04](/attachment/wiki/ArchlinuxTemplate/arch-template-04.png)


-**4: Installing the "Qubes Automated Build System":** +#####**4: Installing the "Qubes Automated Build System":**##### * To get the most current build system its best to use marmarek's git repository. * $ **git clone https://github.com/marmarek/qubes-builder.git**

- +![arch-template-05](/attachment/wiki/ArchlinuxTemplate/arch-template-05.png)

@@ -112,7 +112,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-**5: Configuring setup script to create builder.conf file:** +#####**5: Configuring setup script to create builder.conf file:**##### * You will be creating the builder.conf file which tells where and what to use. The most automated, and in in this case the easiest, way to create this is to use the script that is provided in Qubes Builder. Its named '**setup**'. Before running the script you need to edit one file it uses. @@ -125,18 +125,18 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ nano -W qubes-os-master.conf** or **$ gedit qubes-os-master.conf** or etc….

- +![arch-template-06](/attachment/wiki/ArchlinuxTemplate/arch-template-06.png)

* Go to the first line containing '**DIST_VM ?= fc23**' it will be preceeded by line '**DIST_DOM0 ?= fc20**'. Remove '**fc23**' or whatever is listed there leaving only '**DIST_VM ?=**'. Then save the file and close the text editor.

- +![arch-template-07](/attachment/wiki/ArchlinuxTemplate/arch-template-07.png)


-**6: Run the 'setup' script to build the builder.conf file** +#####**6: Run the 'setup' script to build the builder.conf file**##### * Run the 'setup' script located in '**/home/user/qubes-builder/**' Make sure you are in directory '**qubes-builder**' @@ -145,7 +145,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ ./setup**

- +![arch-template-08](/attachment/wiki/ArchlinuxTemplate/arch-template-08.png)

* First screen will ask you to import 'Qubes-Master-Signing-key.asc'. The 'setup' script not only downloads but confirms the key to that of the key on Qubes-OS website. @@ -154,7 +154,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-09](/attachment/wiki/ArchlinuxTemplate/arch-template-09.png)

@@ -164,7 +164,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-10](/attachment/wiki/ArchlinuxTemplate/arch-template-10.png)

@@ -174,7 +174,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-11](/attachment/wiki/ArchlinuxTemplate/arch-template-11.png)

@@ -184,7 +184,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-12](/attachment/wiki/ArchlinuxTemplate/arch-template-12.png)

@@ -199,7 +199,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press **Enter**

- +![arch-template-13](/attachment/wiki/ArchlinuxTemplate/arch-template-13.png)

@@ -212,9 +212,9 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Press '**Enter**'

- +![arch-template-14](/attachment/wiki/ArchlinuxTemplate/arch-template-14.png)
- +![arch-template-15](/attachment/wiki/ArchlinuxTemplate/arch-template-15.png)

@@ -227,39 +227,41 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * Select '**OK**' Press '**Enter**'

- +![arch-template-16](/attachment/wiki/ArchlinuxTemplate/arch-template-16.png)

*Note: 'Setup' will close and will output the text of the created build.conf file as well as the needed **make** commands to build the template*

- +![arch-template-17](/attachment/wiki/ArchlinuxTemplate/arch-template-17.png)


-**7: Install all the dependencies: (make sure you are in the “qubes-builder” directory to run the following cmds)** +#####**7: Install all the dependencies:**##### + +*Note: make sure you are in the “qubes-builder” directory to run the following cmds* * **$ make install-deps**

- +![arch-template-18](/attachment/wiki/ArchlinuxTemplate/arch-template-18.png)


-**8: Get all the require sources for the build: (Note: this may take some time)** +#####**8: Get all the require sources for the build: (Note: this may take some time)**##### * **$ make get-sources**

- +![arch-template-19](/attachment/wiki/ArchlinuxTemplate/arch-template-19.png)


-**9: Make all the require Qubes Components:** +#####**9: Make all the require Qubes Components:**##### * **Note:** You can run a single command to build all the Qubes components or you can run them each individually. Both ways below: @@ -269,7 +271,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ make qubes-vm**

- +![arch-template-20](/attachment/wiki/ArchlinuxTemplate/arch-template-20.png)

@@ -293,19 +295,18 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).
-**10: Make the actual Archlinux template:** - -* **$ make template** +#####**10: Make the actual Archlinux template:**##### +* **$ make template**

- +![arch-template-21](/attachment/wiki/ArchlinuxTemplate/arch-template-21.png)


-**11: Transfer Template into Dom0** +#####**11: Transfer Template into Dom0**##### * You need to ensure these two files are in the '**noarch**' directory @@ -320,11 +321,9 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ ls** * **qubes-template-archlinux-X.X.X-XXXXXXXXXXXX.noarch.rpm** (this is the template package 'X' replaces version and build digits) - -

- +![arch-template-22](/attachment/wiki/ArchlinuxTemplate/arch-template-22.png)

@@ -341,29 +340,28 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). * **$ sudo qvm-run --pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh** * **$ sudo qvm-run pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/noarch/qubes-template.archlinux-3.0.4-201512290227.noarch.rpm' > /home/user/Templates/qubes-template-archlinux-3.0.4-201512290227.noarch.rpm** -

- +![arch-template-23](/attachment/wiki/ArchlinuxTemplate/arch-template-23.png)

- +![arch-template-24](/attachment/wiki/ArchlinuxTemplate/arch-template-24.png)

- +![arch-template-25](/attachment/wiki/ArchlinuxTemplate/arch-template-25.png)



-**If everything went correct there should be a Archlinux template listed in your Qubes VM Manager** +#####**If everything went correct there should be a Archlinux template listed in your Qubes VM Manager**#####


--------------- -#**Package Manager Proxy Setup Section** +##**Package Manager Proxy Setup Section**## One last thing to setup to have a "PROPERLY" functioning archlinux template. @@ -386,7 +384,7 @@ Please check out:

-**1: Editing Pacman's configuration file (pacman.conf)** +#####**1: Editing Pacman's configuration file (pacman.conf)**##### * Open archlinux terminal app @@ -535,7 +533,7 @@ The addition of the above xrne-x86_64 repo is needed for the repo that contains

-**2: Setting Up GPG** (needs network access) +#####**2: Setting Up GPG** (needs network access)##### * Initialize GPG Keyring @@ -552,14 +550,14 @@ The addition of the above xrne-x86_64 repo is needed for the repo that contains

-**3: Install Powerpill (Pacman wrapper)** (needs network access) +#####**3: Install Powerpill (Pacman wrapper)** (needs network access)##### * **$ sudo pacman -S powerpill**

-**4: Install Reflector** (needs network access) +#####**4: Install Reflector** (needs network access)##### *Note: It scripts mirror updating. Grabbing the most up to date gen mirror list. It ranks them by most recently sync'd. Then ranks them on fastest speed. Also can be used by Powerpill config to allow a once stop conf file for all if so wanted.* @@ -571,7 +569,7 @@ Note: You can combine package downloads: **$ sudo pacman -S powerpill reflector

-**5: Backup mirrorlist prior to first running Reflector.** +#####**5: Backup mirrorlist prior to first running Reflector.**##### Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.org/index.php/Reflector) @@ -580,7 +578,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

-**6: Setup mirrolist with Reflector** (needs network access)** +#####**6: Setup mirrolist with Reflector** (needs network access)**##### *Note: Look at the Reflector page to decide what filter and argument string you wish to run. Below is a default string that will work for most all to setup a working basic mirrorlist. @@ -596,7 +594,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.
-**7: Configure Powerpill configuration file to use Qubes Proxy Service** +#####**7: Configure Powerpill configuration file to use Qubes Proxy Service**##### * Qubes Proxy Address: **10.137.255.254:8082** @@ -632,7 +630,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

-**8: Test Powerpill Configuration** +#####**8: Test Powerpill Configuration**##### *Note: Powerpill uses and passes the same syntax as pacman* @@ -645,7 +643,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

- +![arch-template-26](/attachment/wiki/ArchlinuxTemplate/arch-template-26.png)

From badc99ceb46de0c89397541c9fcb7b8984309b9b Mon Sep 17 00:00:00 2001 From: TimFW Date: Thu, 11 Feb 2016 06:08:01 -0500 Subject: [PATCH 13/37] Fix issues * Fixed: line 191 - typo * Fixed: line 342 - removed the rpm transfer line 351 - removed corresponding image-25 * Still Open: line 402-523 - denoting pacman.conf lines that need to be changed within the entire file output. --- managing-os/templates/archlinux.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index 2b37a007..ddbadc70 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -188,7 +188,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

- * Screen '**Builder Plugin Selection**' will gives choices of builder plugins to use for the build. + * Screen '**Builder Plugin Selection**' will give choices of builder plugins to use for the build. * Deselect '**Fedora**' @@ -327,19 +327,18 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-* **Transfer the two files into Dom0** +* **Transfer the install-templates.sh script file into Dom0** *Note: as there is not a typical file transfer method for Dom0, for security reasons, this less than simple transfer function has to be used* * Swtich to Domo and open a terminal window. - **Note:** Take care when entering these cmd strings. They are very long and have a number of characters that are easy to mix '**-**' vs '**.**' '**Templates** (correct) vs **templates** (wrong) or **Template_**'(also wrong) + **Note:** Take care when entering these cmd strings. They are very long and have a number of characters that are easy to mix '**-**' vs '**.**' '**Templates** (correct) vs **templates** (wrong) or **Template_**'(also wrong) This script will also take care of transfering the actual template.rpm to Dom0 as well. * **$ cd /** * **$ sudo qvm-run --pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh** - * **$ sudo qvm-run pass-io development 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/noarch/qubes-template.archlinux-3.0.4-201512290227.noarch.rpm' > /home/user/Templates/qubes-template-archlinux-3.0.4-201512290227.noarch.rpm**

![arch-template-23](/attachment/wiki/ArchlinuxTemplate/arch-template-23.png) @@ -348,9 +347,6 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). ![arch-template-24](/attachment/wiki/ArchlinuxTemplate/arch-template-24.png)

-![arch-template-25](/attachment/wiki/ArchlinuxTemplate/arch-template-25.png) -
-


From 099d9917464b56f7ed3ae4e2410088898113aba1 Mon Sep 17 00:00:00 2001 From: TimFW Date: Thu, 11 Feb 2016 22:27:43 -0500 Subject: [PATCH 14/37] Fix issues * Denoted the edited lines in the pacman.conf output * Added 'known issues' and 'want to contribute' sections * For image links I followed the path format used in the doc-guidelines.md ( know the images show up in the webpage when its live but links in the actual .md file thru github) * Fixed a couple format and typos Is there anything else that should be edited? --- managing-os/templates/archlinux.md | 281 ++++++++++++++++------------- 1 file changed, 153 insertions(+), 128 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index ddbadc70..fa67d643 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -395,138 +395,138 @@ Please check out:
- # - # /etc/pacman.conf - # - # See the pacman.conf(5) manpage for option and repository directives - - # - # GENERAL OPTIONS - # - [options] - # The following paths are commented out with their default values listed. - # If you wish to use different paths, uncomment and update the paths. - #RootDir = / - #DBPath = /var/lib/pacman/ - #CacheDir = /var/cache/pacman/pkg/ - #LogFile = /var/log/pacman.log - GPGDir = /etc/pacman.d/gnupg/ - HoldPkg = pacman glibc - #XferCommand = /usr/bin/curl -C - -f %u > %o - #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u - #CleanMethod = KeepInstalled - #UseDelta = 0.7 - Architecture = auto - - # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup - #IgnorePkg = - #IgnoreGroup = - #NoUpgrade = - NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio - #NoExtract = - - # Misc options - #UseSyslog - #Color - #TotalDownload - CheckSpace - #VerbosePkgLists - - # By default, pacman accepts packages signed by keys that its local keyring - # trusts (see pacman-key and its man page), as well as unsigned packages. - #SigLevel = Required DatabaseOptional - LocalFileSigLevel = Optional - #RemoteFileSigLevel = Required - - # NOTE: You must run `pacman-key --init` before first using pacman; the local - # keyring can then be populated with the keys of all official Arch Linux - # packagers with `pacman-key --populate archlinux`. - - # - # REPOSITORIES - # - can be defined here or included from another file - # - pacman will search repositories in the order defined here - # - local/custom mirrors can be added here or in separate files - # - repositories listed first will take precedence when packages - # have identical names, regardless of version number - # - URLs will have $repo replaced by the name of the current repo - # - URLs will have $arch replaced by the name of the architecture - # - # Repository entries are of the format: - # [repo-name] - # Server = ServerName - # Include = IncludePath - # - # The header [repo-name] is crucial - it must be present and - # uncommented to enable the repo. - # - - # The testing repositories are disabled by default. To enable, uncomment the - # repo name header and Include lines. You can add preferred servers immediately - # after the header, and they will be used before the default mirrors. - - #[testing] - #SigLevel = PackageRequired - #Include = /etc/pacman.d/mirrorlist - - [core] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - [extra] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - #[community-testing] - #SigLevel = PackageRequired - #Include = /etc/pacman.d/mirrorlist - - [community] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - # If you want to run 32 bit applications on your x86_64 system, - # enable the multilib repositories as required here. - - #[multilib-testing] - #Include = /etc/pacman.d/mirrorlist - - #[multilib] - #Include = /etc/pacman.d/mirrorlist - - # An example of a custom package repository. See the pacman manpage for - # tips on creating your own repositories. - #[custom] - #SigLevel = Optional TrustAll - #Server = file:///home/custompkgs - - [multilib] - SigLevel = PackageRequired - Include = /etc/pacman.d/mirrorlist - - #[qubes] - #commented out as it errors and is not current - #Server = http://olivier.medoc.free.fr/archlinux/pkgs/ - - [xyne-x86_64] - # Added to download powerpill app - # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ - # Packages for the "x86_64" architecture. - # Note that this includes all packages in [xyne-any]. - SigLevel = Required - Server = http://xyne.archlinux.ca/repos/xyne - - #end of file - + # /etc/pacman.conf + # + # See the pacman.conf(5) manpage for option and repository directives + + # + # GENERAL OPTIONS + # + [options] + # The following paths are commented out with their default values listed. + # If you wish to use different paths, uncomment and update the paths. + #RootDir = / + #DBPath = /var/lib/pacman/ + #CacheDir = /var/cache/pacman/pkg/ + #LogFile = /var/log/pacman.log + GPGDir = /etc/pacman.d/gnupg/ + HoldPkg = pacman glibc + #XferCommand = /usr/bin/curl -C - -f %u > %o + #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u + #CleanMethod = KeepInstalled + #UseDelta = 0.7 + Architecture = auto + # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup + #IgnorePkg = + #IgnoreGroup = + #NoUpgrade = + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio + #NoExtract = -
+ # Misc options + #UseSyslog + #Color + #TotalDownload + CheckSpace + #VerbosePkgLists -The addition of the above xrne-x86_64 repo is needed for the repo that contains powerpill. + # By default, pacman accepts packages signed by keys that its local keyring + # trusts (see pacman-key and its man page), as well as unsigned packages. +**Edited Line:** `#SigLevel = Required DatabaseOptional` + + LocalFileSigLevel = Optional + #RemoteFileSigLevel = Required + + # NOTE: You must run `pacman-key --init` before first using pacman; the local + # keyring can then be populated with the keys of all official Arch Linux + # packagers with `pacman-key --populate archlinux`. + + # + # REPOSITORIES + # - can be defined here or included from another file + # - pacman will search repositories in the order defined here + # - local/custom mirrors can be added here or in separate files + # - repositories listed first will take precedence when packages + # have identical names, regardless of version number + # - URLs will have $repo replaced by the name of the current repo + # - URLs will have $arch replaced by the name of the architecture + # + # Repository entries are of the format: + # [repo-name] + # Server = ServerName + # Include = IncludePath + # + # The header [repo-name] is crucial - it must be present and + # uncommented to enable the repo. + # + + # The testing repositories are disabled by default. To enable, uncomment the + # repo name header and Include lines. You can add preferred servers immediately + # after the header, and they will be used before the default mirrors. + + #[testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [core] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + + [extra] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + + #[community-testing] + #SigLevel = PackageRequired + #Include = /etc/pacman.d/mirrorlist + + [community] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + + # If you want to run 32 bit applications on your x86_64 system, + # enable the multilib repositories as required here. + + #[multilib-testing] + #Include = /etc/pacman.d/mirrorlist + + #[multilib] + #Include = /etc/pacman.d/mirrorlist + + # An example of a custom package repository. See the pacman manpage for + # tips on creating your own repositories. + #[custom] + #SigLevel = Optional TrustAll + #Server = file:///home/custompkgs + + [multilib] +**Edited Line:** `SigLevel = PackageRequired` + + Include = /etc/pacman.d/mirrorlist + +**Edited Line:** `#[qubes]` + +**Edited Line:** `#Server = http://olivier.medoc.free.fr/archlinux/pkgs/` + +**Add Section Below:** + + [xyne-x86_64] + # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ + # Packages for the "x86_64" architecture. + # Added for PowerPill app + # Note that this includes all packages in [xyne-any]. + SigLevel = Required + Server = http://xyne.archlinux.ca/repos/xyne + +---------- -
-

#####**2: Setting Up GPG** (needs network access)##### @@ -537,7 +537,7 @@ The addition of the above xrne-x86_64 repo is needed for the repo that contains * Populate the keyring with Archlinux master keys - * **$ sudo pacmna-key --populate archlinux** + * **$ sudo pacman-key --populate archlinux** * Confirm keys with those at [Archlinux Master Keys](https://www.archlinux.org/master-keys/) @@ -652,5 +652,30 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

+####**Known Issues:**#### +* If there is an Arch upgrade of Pulse Audio it will require rebuilding and installing Qubes component: gui-agent-linux +* There May also be a similar issue of dependencies with Xorg. + +* Upgrade Relfector functionality to allow its use thru the QUPS + +* Pacman functionality changes and allows it to be directly configured to work thru QUPS. + +
+ +####**Qubes Mailing List Threads on the Archlinux build process:**#### + +* [Qubes-Devel](https://groups.google.com/forum/#!forum/qubes-devel): [Qubes Builder failed Archlinux repository is missing](https://groups.google.com/forum/#!topic/qubes-devel/tIFkS-rPVx8) + +* [Qubes-Users](https://groups.google.com/forum/#!forum/qubes-users): [Trying to compile archlinux template](https://groups.google.com/forum/#!topic/qubes-users/7wuwr3LgkQQ) + +
+ +####**Want to contribute?**#### + +* [How can I contribute to the Qubes Project?](/doc/contributing/) + +* [Guidelines for Documentation Contributors](doc/doc-guidelines/) + +
From bebad1a916cddd686c1fc22e7b97199775712c40 Mon Sep 17 00:00:00 2001 From: Axon Date: Fri, 19 Feb 2016 16:32:34 +0000 Subject: [PATCH 15/37] Minor formatting fixes --- managing-os/templates/archlinux.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index fa67d643..137b6f0c 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -29,6 +29,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).


+ ####**1: Create and configure VM to use for template building:**#### * The VM should be based on a Fedora template. It's best to use a standalone VM. I created a standalone VM based on @@ -50,7 +51,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**2: Create GitHub Account(optional):**##### +#####**2: Create GitHub Account (optional):**##### * It can be helpful. Creating only a basic account is all that is needed. This will allow you to help, going forward, with the Qubes project. You could be help edit errors in documentation. It can also be of use building other templates. From de5ae51c5bf96c3f6cce6bae993df838cd90415a Mon Sep 17 00:00:00 2001 From: Zrubi Date: Fri, 19 Feb 2016 18:02:36 +0100 Subject: [PATCH 16/37] HCL output (.txt -> .yml) correction --- hardware/hcl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardware/hcl.md b/hardware/hcl.md index 1b610d26..2cbdd236 100644 --- a/hardware/hcl.md +++ b/hardware/hcl.md @@ -37,7 +37,7 @@ In order to generate a HCL report in Qubes, simply open a terminal in dom0 (KDE: (Note: If you are working with a new Qubes installation, you may need to update your system in order to download this script.) You are encouraged to submit your HCL report for the benefit of further Qubes development and other users. - If you would like to submit your HCL report, please send the **HCL Info** `.txt` file to [\`qubes-users@googlegroups.com\`](/doc/mailing-lists/) with the subject `HCL - `. + If you would like to submit your HCL report, please send the **HCL Info** `.yml` file to [\`qubes-users@googlegroups.com\`](/doc/mailing-lists/) with the subject `HCL - `. Please include any useful information about any Qubes features you may have tested (see the legend below), as well as general machine compatibility (video, networking, sleep, etc.). If you have problems with your hardware try a different kernel in the [Troubleshooting menu](/doc/InstallationGuideR2rc1/#troubleshooting-problems-with-the-installer). Please consider sending the **HCL Support Files** `.cpio.gz` file as well. From e909fe2c0f1f46b55a4c0d0a1eef00f797343256 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 19 Feb 2016 18:20:31 +0100 Subject: [PATCH 17/37] archlinux: add spaces around '###' markers --- managing-os/templates/archlinux.md | 210 ++++++++++++++--------------- 1 file changed, 105 insertions(+), 105 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index 137b6f0c..f9cb04c2 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -19,7 +19,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).
-##Instructions## +## Instructions ##
**These are the instructions for Qubes 3.1. They will take you step by step thru the entire process start to finish** @@ -30,7 +30,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-####**1: Create and configure VM to use for template building:**#### +#### **1: Create and configure VM to use for template building:** #### * The VM should be based on a Fedora template. It's best to use a standalone VM. I created a standalone VM based on the Fedora 23 template. I named the VM “**development**”. These instructions assume a standalone VM based on a Fedora template is being used. @@ -51,7 +51,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**2: Create GitHub Account (optional):**##### +##### **2: Create GitHub Account (optional):** ##### * It can be helpful. Creating only a basic account is all that is needed. This will allow you to help, going forward, with the Qubes project. You could be help edit errors in documentation. It can also be of use building other templates. @@ -63,7 +63,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**3: Install necessary packages to 'development' VM for "Qubes Automated Build System":**##### +##### **3: Install necessary packages to 'development' VM for "Qubes Automated Build System":** ##### * Necessary packages to install: @@ -95,7 +95,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**4: Installing the "Qubes Automated Build System":**##### +##### **4: Installing the "Qubes Automated Build System":** ##### * To get the most current build system its best to use marmarek's git repository. @@ -113,7 +113,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**5: Configuring setup script to create builder.conf file:**##### +##### **5: Configuring setup script to create builder.conf file:** ##### * You will be creating the builder.conf file which tells where and what to use. The most automated, and in in this case the easiest, way to create this is to use the script that is provided in Qubes Builder. Its named '**setup**'. Before running the script you need to edit one file it uses. @@ -137,7 +137,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**6: Run the 'setup' script to build the builder.conf file**##### +##### **6: Run the 'setup' script to build the builder.conf file** ##### * Run the 'setup' script located in '**/home/user/qubes-builder/**' Make sure you are in directory '**qubes-builder**' @@ -240,7 +240,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**7: Install all the dependencies:**##### +##### **7: Install all the dependencies:** ##### *Note: make sure you are in the “qubes-builder” directory to run the following cmds* @@ -252,7 +252,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**8: Get all the require sources for the build: (Note: this may take some time)**##### +##### **8: Get all the require sources for the build: (Note: this may take some time)** ##### * **$ make get-sources**
@@ -262,7 +262,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**9: Make all the require Qubes Components:**##### +##### **9: Make all the require Qubes Components:** ##### * **Note:** You can run a single command to build all the Qubes components or you can run them each individually. Both ways below: @@ -296,7 +296,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).
-#####**10: Make the actual Archlinux template:**##### +##### **10: Make the actual Archlinux template:** ##### * **$ make template**
@@ -307,7 +307,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).
-#####**11: Transfer Template into Dom0**##### +##### **11: Transfer Template into Dom0** ##### * You need to ensure these two files are in the '**noarch**' directory @@ -351,14 +351,14 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-#####**If everything went correct there should be a Archlinux template listed in your Qubes VM Manager**##### +##### **If everything went correct there should be a Archlinux template listed in your Qubes VM Manager** #####


--------------- -##**Package Manager Proxy Setup Section**## +## **Package Manager Proxy Setup Section** ## One last thing to setup to have a "PROPERLY" functioning archlinux template. @@ -381,7 +381,7 @@ Please check out:

-#####**1: Editing Pacman's configuration file (pacman.conf)**##### +##### **1: Editing Pacman's configuration file (pacman.conf)** ##### * Open archlinux terminal app @@ -396,82 +396,82 @@ Please check out:
- # /etc/pacman.conf - # - # See the pacman.conf(5) manpage for option and repository directives + # /etc/pacman.conf + # + # See the pacman.conf(5) manpage for option and repository directives - # - # GENERAL OPTIONS - # + # + # GENERAL OPTIONS + # [options] - # The following paths are commented out with their default values listed. - # If you wish to use different paths, uncomment and update the paths. - #RootDir = / - #DBPath = /var/lib/pacman/ - #CacheDir = /var/cache/pacman/pkg/ - #LogFile = /var/log/pacman.log + # The following paths are commented out with their default values listed. + # If you wish to use different paths, uncomment and update the paths. + # RootDir = / + # DBPath = /var/lib/pacman/ + # CacheDir = /var/cache/pacman/pkg/ + # LogFile = /var/log/pacman.log GPGDir = /etc/pacman.d/gnupg/ HoldPkg = pacman glibc - #XferCommand = /usr/bin/curl -C - -f %u > %o - #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u - #CleanMethod = KeepInstalled - #UseDelta = 0.7 + # XferCommand = /usr/bin/curl -C - -f %u > %o + # XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u + # CleanMethod = KeepInstalled + # UseDelta = 0.7 Architecture = auto - # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup - #IgnorePkg = - #IgnoreGroup = - #NoUpgrade = + # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup + # IgnorePkg = + # IgnoreGroup = + # NoUpgrade = NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio - #NoExtract = + # NoExtract = - # Misc options - #UseSyslog - #Color - #TotalDownload + # Misc options + # UseSyslog + # Color + # TotalDownload CheckSpace - #VerbosePkgLists + # VerbosePkgLists - # By default, pacman accepts packages signed by keys that its local keyring - # trusts (see pacman-key and its man page), as well as unsigned packages. -**Edited Line:** `#SigLevel = Required DatabaseOptional` + # By default, pacman accepts packages signed by keys that its local keyring + # trusts (see pacman-key and its man page), as well as unsigned packages. +**Edited Line:** ` # SigLevel = Required DatabaseOptional` LocalFileSigLevel = Optional - #RemoteFileSigLevel = Required + # RemoteFileSigLevel = Required - # NOTE: You must run `pacman-key --init` before first using pacman; the local - # keyring can then be populated with the keys of all official Arch Linux - # packagers with `pacman-key --populate archlinux`. + # NOTE: You must run `pacman-key --init` before first using pacman; the local + # keyring can then be populated with the keys of all official Arch Linux + # packagers with `pacman-key --populate archlinux`. - # - # REPOSITORIES - # - can be defined here or included from another file - # - pacman will search repositories in the order defined here - # - local/custom mirrors can be added here or in separate files - # - repositories listed first will take precedence when packages - # have identical names, regardless of version number - # - URLs will have $repo replaced by the name of the current repo - # - URLs will have $arch replaced by the name of the architecture - # - # Repository entries are of the format: - # [repo-name] - # Server = ServerName - # Include = IncludePath - # - # The header [repo-name] is crucial - it must be present and - # uncommented to enable the repo. - # + # + # REPOSITORIES + # - can be defined here or included from another file + # - pacman will search repositories in the order defined here + # - local/custom mirrors can be added here or in separate files + # - repositories listed first will take precedence when packages + # have identical names, regardless of version number + # - URLs will have $repo replaced by the name of the current repo + # - URLs will have $arch replaced by the name of the architecture + # + # Repository entries are of the format: + # [repo-name] + # Server = ServerName + # Include = IncludePath + # + # The header [repo-name] is crucial - it must be present and + # uncommented to enable the repo. + # - # The testing repositories are disabled by default. To enable, uncomment the - # repo name header and Include lines. You can add preferred servers immediately - # after the header, and they will be used before the default mirrors. + # The testing repositories are disabled by default. To enable, uncomment the + # repo name header and Include lines. You can add preferred servers immediately + # after the header, and they will be used before the default mirrors. - #[testing] - #SigLevel = PackageRequired - #Include = /etc/pacman.d/mirrorlist + # [testing] + # SigLevel = PackageRequired + # Include = /etc/pacman.d/mirrorlist [core] **Edited Line:** `SigLevel = PackageRequired` @@ -483,46 +483,46 @@ Please check out: Include = /etc/pacman.d/mirrorlist - #[community-testing] - #SigLevel = PackageRequired - #Include = /etc/pacman.d/mirrorlist + # [community-testing] + # SigLevel = PackageRequired + # Include = /etc/pacman.d/mirrorlist [community] **Edited Line:** `SigLevel = PackageRequired` Include = /etc/pacman.d/mirrorlist - # If you want to run 32 bit applications on your x86_64 system, - # enable the multilib repositories as required here. + # If you want to run 32 bit applications on your x86_64 system, + # enable the multilib repositories as required here. - #[multilib-testing] - #Include = /etc/pacman.d/mirrorlist + # [multilib-testing] + # Include = /etc/pacman.d/mirrorlist - #[multilib] - #Include = /etc/pacman.d/mirrorlist + # [multilib] + # Include = /etc/pacman.d/mirrorlist - # An example of a custom package repository. See the pacman manpage for - # tips on creating your own repositories. - #[custom] - #SigLevel = Optional TrustAll - #Server = file:///home/custompkgs + # An example of a custom package repository. See the pacman manpage for + # tips on creating your own repositories. + # [custom] + # SigLevel = Optional TrustAll + # Server = file:///home/custompkgs [multilib] **Edited Line:** `SigLevel = PackageRequired` Include = /etc/pacman.d/mirrorlist -**Edited Line:** `#[qubes]` +**Edited Line:** ` # [qubes]` -**Edited Line:** `#Server = http://olivier.medoc.free.fr/archlinux/pkgs/` +**Edited Line:** ` # Server = http://olivier.medoc.free.fr/archlinux/pkgs/` **Add Section Below:** [xyne-x86_64] - # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ - # Packages for the "x86_64" architecture. - # Added for PowerPill app - # Note that this includes all packages in [xyne-any]. + # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ + # Packages for the "x86_64" architecture. + # Added for PowerPill app + # Note that this includes all packages in [xyne-any]. SigLevel = Required Server = http://xyne.archlinux.ca/repos/xyne @@ -530,7 +530,7 @@ Please check out:
-#####**2: Setting Up GPG** (needs network access)##### +##### **2: Setting Up GPG** (needs network access) ##### * Initialize GPG Keyring @@ -547,14 +547,14 @@ Please check out:

-#####**3: Install Powerpill (Pacman wrapper)** (needs network access)##### +##### **3: Install Powerpill (Pacman wrapper)** (needs network access) ##### * **$ sudo pacman -S powerpill**

-#####**4: Install Reflector** (needs network access)##### +##### **4: Install Reflector** (needs network access) ##### *Note: It scripts mirror updating. Grabbing the most up to date gen mirror list. It ranks them by most recently sync'd. Then ranks them on fastest speed. Also can be used by Powerpill config to allow a once stop conf file for all if so wanted.* @@ -566,7 +566,7 @@ Note: You can combine package downloads: **$ sudo pacman -S powerpill reflector

-#####**5: Backup mirrorlist prior to first running Reflector.**##### +##### **5: Backup mirrorlist prior to first running Reflector.** ##### Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.org/index.php/Reflector) @@ -575,7 +575,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

-#####**6: Setup mirrolist with Reflector** (needs network access)**##### +##### **6: Setup mirrolist with Reflector** (needs network access)** ##### *Note: Look at the Reflector page to decide what filter and argument string you wish to run. Below is a default string that will work for most all to setup a working basic mirrorlist. @@ -591,7 +591,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.
-#####**7: Configure Powerpill configuration file to use Qubes Proxy Service**##### +##### **7: Configure Powerpill configuration file to use Qubes Proxy Service** ##### * Qubes Proxy Address: **10.137.255.254:8082** @@ -627,7 +627,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.

-#####**8: Test Powerpill Configuration**##### +##### **8: Test Powerpill Configuration** ##### *Note: Powerpill uses and passes the same syntax as pacman* @@ -648,12 +648,12 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux. **Remember you must open up network access anytime you wish to run the Reflector script to update the mirrorlist. This page will be updated when/if this situation changes.** -###**If the above checks out, you can start using your new Archlinux Template**### +### **If the above checks out, you can start using your new Archlinux Template** ###

-####**Known Issues:**#### +#### **Known Issues:** #### * If there is an Arch upgrade of Pulse Audio it will require rebuilding and installing Qubes component: gui-agent-linux @@ -665,15 +665,15 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux.
-####**Qubes Mailing List Threads on the Archlinux build process:**#### +#### **Qubes Mailing List Threads on the Archlinux build process:** #### -* [Qubes-Devel](https://groups.google.com/forum/#!forum/qubes-devel): [Qubes Builder failed Archlinux repository is missing](https://groups.google.com/forum/#!topic/qubes-devel/tIFkS-rPVx8) +* [Qubes-Devel](https://groups.google.com/forum/ # !forum/qubes-devel): [Qubes Builder failed Archlinux repository is missing](https://groups.google.com/forum/#!topic/qubes-devel/tIFkS-rPVx8) -* [Qubes-Users](https://groups.google.com/forum/#!forum/qubes-users): [Trying to compile archlinux template](https://groups.google.com/forum/#!topic/qubes-users/7wuwr3LgkQQ) +* [Qubes-Users](https://groups.google.com/forum/ # !forum/qubes-users): [Trying to compile archlinux template](https://groups.google.com/forum/#!topic/qubes-users/7wuwr3LgkQQ)
-####**Want to contribute?**#### +#### **Want to contribute?** #### * [How can I contribute to the Qubes Project?](/doc/contributing/) From d27949b5b48da3cf55c1d677d2355f4132236cd4 Mon Sep 17 00:00:00 2001 From: Axon Date: Sat, 20 Feb 2016 19:44:22 +0000 Subject: [PATCH 18/37] Add redirect from `/doc/vpn/` (fixes QubesOS/qubes-issues#1765) --- privacy/vpn.md | 1 + 1 file changed, 1 insertion(+) diff --git a/privacy/vpn.md b/privacy/vpn.md index 5d81be3a..98cf4268 100644 --- a/privacy/vpn.md +++ b/privacy/vpn.md @@ -4,6 +4,7 @@ title: VPN permalink: /doc/privacy/vpn/ redirect_from: - /en/doc/vpn/ +- /doc/vpn/ - /doc/VPN/ - /wiki/VPN/ --- From 73a546854ad357a650da99060b5c0847f46d239d Mon Sep 17 00:00:00 2001 From: Axon Date: Sat, 20 Feb 2016 21:15:30 +0000 Subject: [PATCH 19/37] Clean up and organize privacy pages * Logically organize the Whonix-related pages * Move the VPN page to /configuration/ * VPNs are used for more than just privacy, and many VPN setups and services either can't or don't claim to provide privacy. * Remove `/privacy/` from URLs * These directory names are just for organizing the source pages, *unless* an actual page resides there. Since there is no /doc/privacy/ page, it's unnecessary and misleading to have this in the URLs. It also breaks uniformity, since none of the other pages have their informal group name in their URL (again, unless there's a page with that name). --- {privacy => configuration}/vpn.md | 4 ++-- doc.md | 13 ++++++------- privacy/torvm.md | 3 ++- .../{customizing-whonix.md => whonix-customize.md} | 3 ++- privacy/{install-whonix.md => whonix-install.md} | 3 ++- .../{uninstall-whonix.md => whonix-uninstall.md} | 3 ++- privacy/{updating-whonix.md => whonix-update.md} | 3 ++- privacy/whonix.md | 11 ++++++----- 8 files changed, 24 insertions(+), 19 deletions(-) rename {privacy => configuration}/vpn.md (98%) rename privacy/{customizing-whonix.md => whonix-customize.md} (97%) rename privacy/{install-whonix.md => whonix-install.md} (97%) rename privacy/{uninstall-whonix.md => whonix-uninstall.md} (96%) rename privacy/{updating-whonix.md => whonix-update.md} (97%) diff --git a/privacy/vpn.md b/configuration/vpn.md similarity index 98% rename from privacy/vpn.md rename to configuration/vpn.md index 98cf4268..3594a912 100644 --- a/privacy/vpn.md +++ b/configuration/vpn.md @@ -1,10 +1,10 @@ --- layout: doc title: VPN -permalink: /doc/privacy/vpn/ +permalink: /doc/vpn/ redirect_from: +- /doc/privacy/vpn/ - /en/doc/vpn/ -- /doc/vpn/ - /doc/VPN/ - /wiki/VPN/ --- diff --git a/doc.md b/doc.md index 9dcba3bb..6914972f 100644 --- a/doc.md +++ b/doc.md @@ -85,13 +85,12 @@ Security Guides Privacy Guides -------------- - * [Whonix for privacy & anonymization](/doc/privacy/whonix/) - * [Install Whonix in Qubes](/doc/privacy/install-whonix/) - * [Updating Whonix in Qubes](/doc/privacy/updating-whonix/) - * [Customizing Whonix](/doc/privacy/customizing-whonix/) - * [Uninstall Whonix from Qubes](/doc/privacy/uninstall-whonix/) - * [How to Install TorVM](/doc/privacy/torvm/) - * [How to set up a ProxyVM as a VPN Gateway](/doc/privacy/vpn/) + * [Whonix for privacy & anonymization](/doc/whonix/) + * [Install Whonix in Qubes](/doc/whonix/install/) + * [Updating Whonix in Qubes](/doc/whonix/update/) + * [Customizing Whonix](/doc/whonix/customize/) + * [Uninstall Whonix from Qubes](/doc/whonix/uninstall/) + * [How to Install TorVM](/doc/torvm/) Configuration Guides diff --git a/privacy/torvm.md b/privacy/torvm.md index 62603475..161d38c7 100644 --- a/privacy/torvm.md +++ b/privacy/torvm.md @@ -1,8 +1,9 @@ --- layout: doc title: TorVM -permalink: /doc/privacy/torvm/ +permalink: /doc/torvm/ redirect_from: +- /doc/privacy/torvm/ - /en/doc/torvm/ - /doc/TorVM/ - /doc/UserDoc/TorVM/ diff --git a/privacy/customizing-whonix.md b/privacy/whonix-customize.md similarity index 97% rename from privacy/customizing-whonix.md rename to privacy/whonix-customize.md index d12bd690..f43a6e9d 100644 --- a/privacy/customizing-whonix.md +++ b/privacy/whonix-customize.md @@ -1,7 +1,8 @@ --- layout: doc title: Customizing Whonix -permalink: /doc/privacy/customizing-whonix/ +permalink: /doc/whonix/customize/ +redirect_from: /doc/privacy/customizing-whonix/ --- Customizing Whonix diff --git a/privacy/install-whonix.md b/privacy/whonix-install.md similarity index 97% rename from privacy/install-whonix.md rename to privacy/whonix-install.md index 77a13c32..d8f1cd6f 100644 --- a/privacy/install-whonix.md +++ b/privacy/whonix-install.md @@ -1,7 +1,8 @@ --- layout: doc title: Install Whonix in Qubes -permalink: /doc/privacy/install-whonix/ +permalink: /doc/whonix/install/ +redirect_from: /doc/privacy/install-whonix/ --- diff --git a/privacy/uninstall-whonix.md b/privacy/whonix-uninstall.md similarity index 96% rename from privacy/uninstall-whonix.md rename to privacy/whonix-uninstall.md index dbbe69c5..37307851 100644 --- a/privacy/uninstall-whonix.md +++ b/privacy/whonix-uninstall.md @@ -1,7 +1,8 @@ --- layout: doc title: Uninstall Whonix from Qubes -permalink: /doc/privacy/uninstall-whonix/ +permalink: /doc/whonix/uninstall/ +redirect_from: /doc/privacy/uninstall-whonix/ --- Uninstall Whonix from Qubes diff --git a/privacy/updating-whonix.md b/privacy/whonix-update.md similarity index 97% rename from privacy/updating-whonix.md rename to privacy/whonix-update.md index 2820259c..47045bac 100644 --- a/privacy/updating-whonix.md +++ b/privacy/whonix-update.md @@ -1,7 +1,8 @@ --- layout: doc title: Updating Whonix in Qubes -permalink: /doc/privacy/updating-whonix/ +permalink: /doc/whonix/update/ +redirect_from: /doc/privacy/updating-whonix/ --- Updating Whonix in Qubes diff --git a/privacy/whonix.md b/privacy/whonix.md index a48a9473..07000511 100644 --- a/privacy/whonix.md +++ b/privacy/whonix.md @@ -1,7 +1,8 @@ --- layout: doc title: Whonix for privacy & anonymizations -permalink: /doc/privacy/whonix/ +permalink: /doc/whonix/ +redirect_from: /doc/privacy/whonix/ --- Whonix for Privacy & Anonymity @@ -15,13 +16,13 @@ To improve your privacy & anonymity on the internet, you can install the [Whonix To install Whonix, you must have a working Qubes machine already. -* [Install Whonix in Qubes](/doc/privacy/install-whonix/) -* [Updating Whonix in Qubes](/doc/privacy/updating-whonix/) +* [Install Whonix in Qubes](/doc/whonix/install/) +* [Updating Whonix in Qubes](/doc/whonix/update/) ### Customizing & Uninstalling Whonix -* [Customizing Whonix](/doc/privacy/customizing-whonix/) -* [Uninstall Whonix from Qubes](/doc/privacy/uninstall-whonix/) +* [Customizing Whonix](/doc/whonix/customize/) +* [Uninstall Whonix from Qubes](/doc/whonix/uninstall/) *The following links are on Whonix's website and are technical.* From 6a71ab6b485b4e8a7eb3860b4030b7a87a1fb053 Mon Sep 17 00:00:00 2001 From: Axon Date: Sat, 20 Feb 2016 21:37:33 +0000 Subject: [PATCH 20/37] Update link --- managing-os/templates/whonix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/managing-os/templates/whonix.md b/managing-os/templates/whonix.md index 7aa800fd..dfd6e477 100644 --- a/managing-os/templates/whonix.md +++ b/managing-os/templates/whonix.md @@ -20,4 +20,4 @@ Whonix template(s) are another Qubes community contribution. Currently Whonix ac ### Installation & Details -To learn more and for installation instructions, read our privacy guide: [Whonix for privacy & anonymization](/doc/privacy/whonix/) +To learn more and for installation instructions, read our privacy guide: [Whonix for privacy & anonymization](/doc/whonix/) From 61ced3aa60baf95b404343f26147f638ff4111f0 Mon Sep 17 00:00:00 2001 From: Axon Date: Sat, 20 Feb 2016 22:07:39 +0000 Subject: [PATCH 21/37] Make using and contributing to the docs more accessible (QubesOS/qubes-issues#1714) --- developers/contributing.md | 1 + developers/doc-guidelines.md | 4 ++-- doc.md | 4 +++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/developers/contributing.md b/developers/contributing.md index e85c6718..ad38e33b 100644 --- a/developers/contributing.md +++ b/developers/contributing.md @@ -19,6 +19,7 @@ First you should decide what you are interested in (and good in). The Qubes proj - Code audit (e.g. gui-daemon) - New features - Artwork (plymouth themes, KDM themes, installer themes, wallpapers, etc) +- [Documentation](/doc/doc-guidelines) Perhaps the best starting point is to have a look at the [issues](https://github.com/QubesOS/qubes-issues/issues) to see what are the most urgent tasks to do. diff --git a/developers/doc-guidelines.md b/developers/doc-guidelines.md index 0430da41..39079a70 100644 --- a/developers/doc-guidelines.md +++ b/developers/doc-guidelines.md @@ -8,8 +8,8 @@ redirect_from: - /doc/DocStyle/ --- -Guidelines for Documentation Contributors -========================================= +Documentation Guidelines +======================== All Qubes OS documentation pages are stored as plain text files in the dedicated [qubes-doc] repository. By cloning and regularly pulling from diff --git a/doc.md b/doc.md index 6914972f..36a501a9 100644 --- a/doc.md +++ b/doc.md @@ -13,8 +13,11 @@ redirect_from: The Basics ---------- + * [A Tour of Qubes OS](/tour/) + * [Getting Started](/getting-started) * [Users' FAQ](/doc/user-faq/) * [Mailing Lists](/doc/mailing-lists/) + * [Documentation Guidelines](/doc/doc-guidelines/) * [Further reading: How is Qubes different from...?](http://blog.invisiblethings.org/2012/09/12/how-is-qubes-os-different-from.html) * [Further reading: Why Qubes is more than a collection of VMs](http://www.invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) @@ -159,6 +162,5 @@ For Developers * [Qubes OS Version Scheme](/doc/version-scheme/) * [Supported Versions](/doc/supported-versions/) * [Coding Guidelines](/doc/coding-style/) - * [Documentation Guidelines](/doc/doc-guidelines/) * [Books for Developers](/doc/devel-books/) * [Qubes OS License](/doc/license/) From 7347b388342708696559d45b2401711f6f06218c Mon Sep 17 00:00:00 2001 From: William Robinet Date: Sun, 21 Feb 2016 19:07:55 +0100 Subject: [PATCH 22/37] fix typos --- common-tasks/backup-restore.md | 2 +- common-tasks/software-update-vm.md | 2 +- developers/fundamentals/gui.md | 2 +- .../fundamentals/template-implementation.md | 2 +- developers/services/dvm-impl.md | 4 ++-- developers/services/qmemman.md | 2 +- developers/services/qrexec2.md | 2 +- installing/live-usb.md | 2 +- installing/multiboot.md | 6 +++--- managing-os/templates/archlinux.md | 16 ++++++++-------- privacy/torvm.md | 2 +- reference/vm-tools/qvm-run.md | 2 +- releases/supported-versions.md | 2 +- security/multifactor-authentication.md | 2 +- security/yubi-key.md | 2 +- 15 files changed, 25 insertions(+), 25 deletions(-) diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md index f6135120..6098ca65 100644 --- a/common-tasks/backup-restore.md +++ b/common-tasks/backup-restore.md @@ -11,7 +11,7 @@ redirect_from: Qubes Backup, Restoration, and Migration ======================================== -**Caution:** The Qubes backup system currently relies on a [weak key derivation scheme](https://github.com/QubesOS/qubes-issues/issues/971). It is *strongly recommended* that users select a *high-entropy* passphrase for use with with Qubes backups. +**Caution:** The Qubes backup system currently relies on a [weak key derivation scheme](https://github.com/QubesOS/qubes-issues/issues/971). It is *strongly recommended* that users select a *high-entropy* passphrase for use with Qubes backups. * [Creating a Backup](#creating-a-backup) * [Restoring from a Backup](#restoring-from-a-backup) diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md index c7b5381f..f71fb3ae 100644 --- a/common-tasks/software-update-vm.md +++ b/common-tasks/software-update-vm.md @@ -56,7 +56,7 @@ As long as template's compromise is considered, it doesn't really matter whether - But why trusting Fedora? -Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-epxloitable. We certainly do not assume the latter. +Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter. - So, are the template VMs as trusted as Dom0? diff --git a/developers/fundamentals/gui.md b/developers/fundamentals/gui.md index e8565e27..6bec826f 100644 --- a/developers/fundamentals/gui.md +++ b/developers/fundamentals/gui.md @@ -75,7 +75,7 @@ Certainly, it would be insecure to allow AppVM to read/write clipboard of other - there is a "qubes clipboard" in dom0 - its contents is stored in a regular file in dom0. - if user wants to copy local AppVM clipboard to qubes clipboard, she must focus on any window belonging to this AppVM, and press **Ctrl-Shift-C**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_REQ` message is sent to AppVM. *qubes-gui* responds with *CLIPBOARD_DATA* message followed by clipboard contents. -- user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the the local clipboard, and then user can paste its contents to local applications normally. +- user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the local clipboard, and then user can paste its contents to local applications normally. This way, user can quickly copy clipboards between AppVMs. This action is fully controlled by the user, it cannot be triggered/forced by any AppVM. diff --git a/developers/fundamentals/template-implementation.md b/developers/fundamentals/template-implementation.md index b80ef434..0f320910 100644 --- a/developers/fundamentals/template-implementation.md +++ b/developers/fundamentals/template-implementation.md @@ -87,7 +87,7 @@ Steps performed by **qvm-revert-template-changes**: 3. Replace *snapshot* device-mapper target with *snapshot-merge*, other parameters (chunk size etc) remains untouched. Now kernel starts merging changes stored in *root-cow.img.old* into *root.img*. d-m device can be used normally (if needed). 4. Waits for merge completed: *dmsetup status* shows used snapshot blocks – it should be equal to metadata size when completed. 5. Replace *snapshot-merge* d-m target back to *snapshot*. -6. Cleanup snapshot device (if nobody uses it it the moment). +6. Cleanup snapshot device (if nobody uses it at the moment). 7. Move *root-cow.img.old* to *root-cow.img* (overriding existing file). Snapshot device in AppVM diff --git a/developers/services/dvm-impl.md b/developers/services/dvm-impl.md index efb01d9f..3ed33a49 100644 --- a/developers/services/dvm-impl.md +++ b/developers/services/dvm-impl.md @@ -30,7 +30,7 @@ Preparing a savefile is done by */usr/lib/qubes/qubes\_prepare\_saved\_domain.sh 6. when `qubes_used_mem` key appears, the domain memory is reduced to this amount, to make the savefile smaller. 7. APPVM private image is detached 8. the domain is saved via *xl save* -9. the COW file volatile.img (cow for for root fs and swap) is packed to `saved_cows.tar` archive +9. the COW file volatile.img (cow for root fs and swap) is packed to `saved_cows.tar` archive *qubes\_prepare\_saved\_domain.sh* script is somehow lowlevel. It is usually called by *qvm-create-default-dvm* script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to *qubes\_prepare\_saved\_domain.sh*, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists). @@ -53,4 +53,4 @@ Validating the DisposableVM savefile DisposableVM savefile contains references to template rootfs and to COW files. The COW files are restored before each DisposableVM start, so they cannot change. On the other hand, if templateVM is started, the template rootfs will change, and it may not be coherent with the COW files. -Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in *qfilexchgd* daemon, just before restoring DisposableVM. If necassary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at */var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh*. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes. +Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in *qfilexchgd* daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at */var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh*. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes. diff --git a/developers/services/qmemman.md b/developers/services/qmemman.md index 2fd8cc63..499d3bf4 100644 --- a/developers/services/qmemman.md +++ b/developers/services/qmemman.md @@ -70,7 +70,7 @@ Additionally, the balance algorithm is tuned so that XEN\_FREE\_MEM\_LEFT (50MB) Whenever *qmemman* is asked to return X megabytes of memory to Xen free pool, the following algorithm (*qmemman\_algo.balloon*) is executed: 1. find all domains ("donors") whose actual memory is greater than its `prefmem` -2. calculate how much memory can be reclaimed by shrinking donors to their `prefmem`. If is is less than X, return error. +2. calculate how much memory can be reclaimed by shrinking donors to their `prefmem`. If it is less than X, return error. 3. shrink donors, proportionally to their `prefmem`, so that X MB should become free 4. wait BALOON\_DELAY (0.1s) 5. if some domain have not given back any memory, remove it from the donors list, and go to step 2, unless we already did MAX\_TRIES (20) iterations (then return error). diff --git a/developers/services/qrexec2.md b/developers/services/qrexec2.md index aaaa74ab..a26e693f 100644 --- a/developers/services/qrexec2.md +++ b/developers/services/qrexec2.md @@ -313,7 +313,7 @@ steps are taken: * `qrexec-daemon` executes `qrexec-policy`, passing source vmname, target vmname, rpc action, and CID as cmdline arguments * `qrexec-policy` evaluates the policy file. If successful, creates a pair of - `qrexec-client` processes, whose stdin/stdout are cross-connencted. + `qrexec-client` processes, whose stdin/stdout are cross-connected. * The first `qrexec-client` connects to the src VM, using the `-c ClientID` parameter, which results in not creating a new process, but connecting to the existing process file descriptors (these are the fds of unix socket diff --git a/installing/live-usb.md b/installing/live-usb.md index a5e1fee1..ad630bfb 100644 --- a/installing/live-usb.md +++ b/installing/live-usb.md @@ -20,7 +20,7 @@ We have faced several challenges when making this Live USB edition of Qubes OS, which traditional Linux distros don't have to bother with: 1. We needed to ensure Xen is properly started when booting the stick. In fact - we still don't support UEFI boot for the sitck for this reason, even though + we still don't support UEFI boot for the stick for this reason, even though the Fedora liveusb creator we used does support it. Only legacy boot for this version, sorry. 2. We discovered that the Fedora liveusb-create does *not* verify signatures on diff --git a/installing/multiboot.md b/installing/multiboot.md index d94de1bf..7232b3db 100644 --- a/installing/multiboot.md +++ b/installing/multiboot.md @@ -21,7 +21,7 @@ Read the [guidelines](/doc/security-guidelines) carefully. One problem is that when you dual or multiboot, even if you are using encryption on your Qubes installation, /boot is still unprotected and could be maliciously modified by the other OS, possibly leading to Qubes -itself being maliciously modifed. +itself being maliciously modified. The other problem is firmware security - for example the other system could infect BIOS firmware, which might enable compromise or spying on @@ -177,8 +177,8 @@ sudo grub2-mkconfig -o /boot/grub2/grub.cfg Troubleshooting ---------------------- -If you install Qubes without making any backups beforehand, dont worry. -If you didnt overwrite the original partitions, then it is usually +If you install Qubes without making any backups beforehand, don't worry. +If you didn't overwrite the original partitions, then it is usually possible to recover your old systems relatively easily, as described above. If you decided to use a shared /boot and *dont* have backups of your previous diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index f9cb04c2..7b0a1d7e 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -106,7 +106,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr).

-* You will now have the Qubes Builder System enviornment installed in the directory below: +* You will now have the Qubes Builder System environment installed in the directory below: * **/home/user/qubes-builder**
@@ -115,7 +115,7 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). ##### **5: Configuring setup script to create builder.conf file:** ##### -* You will be creating the builder.conf file which tells where and what to use. The most automated, and in in this case the easiest, way to create this is to use the script that is provided in Qubes Builder. Its named '**setup**'. Before running the script you need to edit one file it uses. +* You will be creating the builder.conf file which tells where and what to use. The most automated, and in this case the easiest, way to create this is to use the script that is provided in Qubes Builder. Its named '**setup**'. Before running the script you need to edit one file it uses. *In the future this should not be needed once a change is made to the 'setup' script.* @@ -363,11 +363,11 @@ Main maintainer of this template is [Olivier Médoc](mailto:o_medoc@yahoo.fr). One last thing to setup to have a "PROPERLY" functioning archlinux template. -Archlinux package manager Pacman is a fine package mangers execpt that we could not find a way to configure it to use the Qubes Update Proxy Service (QUPS) that would compliy with Qubes QUPS usage policy. +Archlinux package manager Pacman is a fine package mangers except that we could not find a way to configure it to use the Qubes Update Proxy Service (QUPS) that would comply with Qubes QUPS usage policy. *If someone does find a way please post to the Qubes-Users or Devel google groups mailing list.* -Powerpill is a full Pacman wrapper that not only give easy proxy configuration but futher offers numerous other advantages. +Powerpill is a full Pacman wrapper that not only give easy proxy configuration but further offers numerous other advantages. Please check out: @@ -376,7 +376,7 @@ Please check out: [XYNE's (dev) Powerpill](http://xyne.archlinux.ca/projects/powerpill/) -**Important Note:** Until Powerpill is configured you will have to open network access to the template to get the intial packages etc downloaded. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services thru the same window. Remember to change it back if you choose the later route. Actions needing network access will be noted with (needs network access) +**Important Note:** Until Powerpill is configured you will have to open network access to the template to get the initial packages etc downloaded. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services thru the same window. Remember to change it back if you choose the later route. Actions needing network access will be noted with (needs network access)

@@ -389,7 +389,7 @@ Please check out: * **$ sudo nano -w /etc/pacman.conf** -* Below is the output of a correct pacman.conf file Make the changes so your file matches this one or rename the orginal and create a new one and copy and paste this text into it. Text should be justifed left in the file. The changes from your default are to make gpg sig signing mandatory for packages but not required for DBs for the archlinux repos. Also to add the repo (at the end) for the Powerpill package. +* Below is the output of a correct pacman.conf file Make the changes so your file matches this one or rename the original and create a new one and copy and paste this text into it. Text should be justified left in the file. The changes from your default are to make gpg sig signing mandatory for packages but not required for DBs for the archlinux repos. Also to add the repo (at the end) for the Powerpill package.
@@ -542,7 +542,7 @@ Please check out: * Confirm keys with those at [Archlinux Master Keys](https://www.archlinux.org/master-keys/) - * For more information on Pacman key sigining: [Pacman Package Key Signing](https://wiki.archlinux.org/index.php/Pacman/Package_signing) + * For more information on Pacman key signing: [Pacman Package Key Signing](https://wiki.archlinux.org/index.php/Pacman/Package_signing)

@@ -579,7 +579,7 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux. *Note: Look at the Reflector page to decide what filter and argument string you wish to run. Below is a default string that will work for most all to setup a working basic mirrorlist. -*Look to Reflector pages or --help for more info on arug and filters.* +*Look to Reflector pages or --help for more info on args and filters.* * **$ sudo reflector --verbose -l 5 --sort rate --save /etc/pacman.d/mirrorlist** diff --git a/privacy/torvm.md b/privacy/torvm.md index 161d38c7..d333476e 100644 --- a/privacy/torvm.md +++ b/privacy/torvm.md @@ -189,7 +189,7 @@ access with different stream isolation settings: * Port 9050 - Isolates by SOCKS Auth and client address only Each AppVM gets its own circuit, and each app using a unique SOCKS user/pass gets its own circuit -* Port 9049 - Isolates client + estination port, address, and by SOCKS Auth +* Port 9049 - Isolates client + destination port, address, and by SOCKS Auth Same as default settings listed above, but additionally traffic is isolated based on destination port and destination address. diff --git a/reference/vm-tools/qvm-run.md b/reference/vm-tools/qvm-run.md index a850ed60..84a2a8bc 100644 --- a/reference/vm-tools/qvm-run.md +++ b/reference/vm-tools/qvm-run.md @@ -22,7 +22,7 @@ Date SYNOPSIS -------- -qvm-run vmname command [aguments] +qvm-run vmname command [arguments] OPTIONS ------- diff --git a/releases/supported-versions.md b/releases/supported-versions.md index eb210cf6..f79063a5 100644 --- a/releases/supported-versions.md +++ b/releases/supported-versions.md @@ -45,7 +45,7 @@ supported. | Release 3.2 | TBA | TBA | | Release 4.0 | TBA | TBA | -\* Denotes versions for which we have pubished the packages but have not done +\* Denotes versions for which we have published the packages but have not done extensive testing. [r3.1-schedule]: /doc/releases/3.1/schedule/ diff --git a/security/multifactor-authentication.md b/security/multifactor-authentication.md index d8ae577e..b465bb38 100644 --- a/security/multifactor-authentication.md +++ b/security/multifactor-authentication.md @@ -54,7 +54,7 @@ SMS: over to government agencies.) * Using `oathtool` in a dedicated, network-isolated Qubes VM allows us to - achieve a unqiue combination of security and convenience. The strong isolation + achieve a unique combination of security and convenience. The strong isolation Qubes provides allows us to reap the full security benefits of MFA, while virtualization frees us from having to worry about finding and handling a second physical device. diff --git a/security/yubi-key.md b/security/yubi-key.md index 40a6b5a2..a01fff13 100644 --- a/security/yubi-key.md +++ b/security/yubi-key.md @@ -13,7 +13,7 @@ Using YubiKey to Qubes authentication You can use YubiKey to enhance Qubes user authentication, for example to mitigate risk of snooping the password. This can also slightly improve security when you have [USB keyboard](https://github.com/marmarek/qubes-app-linux-input-proxy). -There (at least) two possible configurations: using OTP mode and using challenge-reponse mode. +There (at least) two possible configurations: using OTP mode and using challenge-response mode. OTP mode -------- From 391df3f01aa3f99497b5a58ba835bb06d8d335b5 Mon Sep 17 00:00:00 2001 From: Axon Date: Mon, 22 Feb 2016 22:43:35 +0000 Subject: [PATCH 23/37] Use yum directly to remove a package in dom0 --- common-tasks/software-update-dom0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md index 323e0d9e..c9bd1dcb 100644 --- a/common-tasks/software-update-dom0.md +++ b/common-tasks/software-update-dom0.md @@ -71,7 +71,7 @@ Of course, command line tools are still available for accomplishing various upda If you've installed a package such as anti-evil-maid, you can remove it with the following command: ~~~ - sudo qubes-dom0-update action=remove anti-evil-maid + sudo yum remove anti-evil-maid ~~~ ### Kernel Upgrade ### From 37cac07a8fd212747d9f2a284e7dbf8a6083339a Mon Sep 17 00:00:00 2001 From: youknow0 Date: Wed, 24 Feb 2016 18:07:39 +0100 Subject: [PATCH 24/37] Fix link to disposable VM doc previous link was 404 --- configuration/network-printer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/network-printer.md b/configuration/network-printer.md index 3ac2c6ca..26bd4879 100644 --- a/configuration/network-printer.md +++ b/configuration/network-printer.md @@ -23,7 +23,7 @@ Security considerations for network printers and drivers Some printers require 3rd party drivers, typically downloadable from the vendor's website. Such drivers are typically distributed in a form of ready to install RPM packages. However, they are often unsigned, and additionally the downloads are available via HTTP connections only. As a result, installation of such 3rd party RPMs in a default template VM exposes a risk of compromise of this template VM, which, in turn, leads automatically to compromise of all the AppVMs based on the template. (Again, it's not buggy or malicious drivers that we fear here, but rather malicious installation scripts for those drivers). -In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the 3rd party, unverified drivers there. Such template might then be made the default template for [Disposable VM creation](/doc/disposable-vms/), which should allow one to print any document by right-clicking on it, choosing "Open in Disposable VM" and print from there. This would allow to print documents from more trusted AppVMs (based on a trusted default template, that is not poisoned by 3rd party printer drivers). +In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the 3rd party, unverified drivers there. Such template might then be made the default template for [Disposable VM creation](/doc/dispvm/), which should allow one to print any document by right-clicking on it, choosing "Open in Disposable VM" and print from there. This would allow to print documents from more trusted AppVMs (based on a trusted default template, that is not poisoned by 3rd party printer drivers). However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed. This is a limitation of today's printers and printing protocols, something that cannot be solved by Qubes or any other OS. From 419137c3a5b53016e1a8ede8c1b6f8c328ad9ed7 Mon Sep 17 00:00:00 2001 From: Axon Date: Fri, 26 Feb 2016 05:19:55 +0000 Subject: [PATCH 25/37] Updating dom0 does not update templates Fixes QubesOS/qubes-issues#1616 --- managing-os/templates.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/managing-os/templates.md b/managing-os/templates.md index c97a343c..5a73d90f 100644 --- a/managing-os/templates.md +++ b/managing-os/templates.md @@ -75,3 +75,13 @@ Important Notes TemplateBasedVMs persist in this manner. If you would like to make changes in other directories which *do* persist in this manner, you must make those changes in the parent TemplateVM. + + * Templates are not autmoatically updated when + [updating dom0](/doc/software-update-dom0/). This is by design, since doing + so would cause all user modifications to templates to be lost. Instead, you + should update your tempaltes + [from within each template](/doc/software-update-vm/). If you *do* want to + update a template from dom0 (and thereby lose any user modifications in the + existing template), you must first uninstall the existing template from dom0: + + $ sudo yum remove qubes-template-fedora-23 From d13ca72fb92808d48fc73917b90e9ec994e88ae5 Mon Sep 17 00:00:00 2001 From: Axon Date: Fri, 26 Feb 2016 05:34:29 +0000 Subject: [PATCH 26/37] Fix typos --- managing-os/templates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/managing-os/templates.md b/managing-os/templates.md index 5a73d90f..77f4cdb6 100644 --- a/managing-os/templates.md +++ b/managing-os/templates.md @@ -76,10 +76,10 @@ Important Notes in other directories which *do* persist in this manner, you must make those changes in the parent TemplateVM. - * Templates are not autmoatically updated when + * Templates are not automatically updated when [updating dom0](/doc/software-update-dom0/). This is by design, since doing so would cause all user modifications to templates to be lost. Instead, you - should update your tempaltes + should update your templates [from within each template](/doc/software-update-vm/). If you *do* want to update a template from dom0 (and thereby lose any user modifications in the existing template), you must first uninstall the existing template from dom0: From af89a57c7bd13a2fe602237860fb6067138b33a9 Mon Sep 17 00:00:00 2001 From: Henry de Valence Date: Thu, 3 Mar 2016 15:28:01 +0100 Subject: [PATCH 27/37] Clarify that resizing root.img requires shutting down AppVMs --- configuration/resize-root-disk-image.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md index 299d7618..bee7272f 100644 --- a/configuration/resize-root-disk-image.md +++ b/configuration/resize-root-disk-image.md @@ -32,16 +32,23 @@ Shutdown the StandaloneVM and you will have extended the size of it's `root.img` ### Resize a TemplateVM Root Image -In `dom0` Konsole run the following command (replace the size and path):*Make sure changes in the TemplateVM between reboots didn't exceed 10G.* +Shut down the TemplateVM, as well as all VMs based on that template (since they +share `root.img`). +In `dom0` Konsole run the following command (replace the size and path): +*Make sure changes in the TemplateVM between reboots didn't exceed 10G.* ~~~ truncate -s 20G /var/lib/qubes/vm-templates/fedora-21/root.img ~~~ -Then start Terminal for this TemplateVM and run the following: +Then start only the TemplateVM and run the following. Note that if you are +resizing the TemplateVM used by, e.g., your NetVM, you may need to disable +networking so when the TemplateVM is started, it does not autostart other VMs +based on the same `root.img`. Otherwise you will get an error message `Nothing +to do!`. ~~~ sudo resize2fs /dev/mapper/dmroot ~~~ -Shutdown the TemplateVM and you will have extended the size of it's `root.img` +Shutdown the TemplateVM and you will have extended the size of it's `root.img`. From 6233a3369b369eaaed582d7f7a389ca3813cf311 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 21 Feb 2016 01:16:51 +0100 Subject: [PATCH 28/37] Fix "archlinux: add spaces around '###' markers" Remove unnecessary spaces added in config dump. Add some empty lines to fix formatting ("Edited Line:" folded into preceding line). --- managing-os/templates/archlinux.md | 163 +++++++++++++++-------------- 1 file changed, 84 insertions(+), 79 deletions(-) diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md index 7b0a1d7e..15b9fcbe 100644 --- a/managing-os/templates/archlinux.md +++ b/managing-os/templates/archlinux.md @@ -396,133 +396,138 @@ Please check out:
- # /etc/pacman.conf - # - # See the pacman.conf(5) manpage for option and repository directives + # /etc/pacman.conf + # + # See the pacman.conf(5) manpage for option and repository directives - # - # GENERAL OPTIONS - # + # + # GENERAL OPTIONS + # [options] - # The following paths are commented out with their default values listed. - # If you wish to use different paths, uncomment and update the paths. - # RootDir = / - # DBPath = /var/lib/pacman/ - # CacheDir = /var/cache/pacman/pkg/ - # LogFile = /var/log/pacman.log + # The following paths are commented out with their default values listed. + # If you wish to use different paths, uncomment and update the paths. + # RootDir = / + # DBPath = /var/lib/pacman/ + # CacheDir = /var/cache/pacman/pkg/ + # LogFile = /var/log/pacman.log GPGDir = /etc/pacman.d/gnupg/ HoldPkg = pacman glibc - # XferCommand = /usr/bin/curl -C - -f %u > %o - # XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u - # CleanMethod = KeepInstalled - # UseDelta = 0.7 + # XferCommand = /usr/bin/curl -C - -f %u > %o + # XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u + # CleanMethod = KeepInstalled + # UseDelta = 0.7 Architecture = auto - # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup - # IgnorePkg = - # IgnoreGroup = - # NoUpgrade = + # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup + # IgnorePkg = + # IgnoreGroup = + # NoUpgrade = NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio NoUpgrade = /etc/X11/xinit/xinitrc.d/pulseaudio - # NoExtract = + # NoExtract = - # Misc options - # UseSyslog - # Color - # TotalDownload + # Misc options + # UseSyslog + # Color + # TotalDownload CheckSpace - # VerbosePkgLists + # VerbosePkgLists - # By default, pacman accepts packages signed by keys that its local keyring - # trusts (see pacman-key and its man page), as well as unsigned packages. -**Edited Line:** ` # SigLevel = Required DatabaseOptional` + # By default, pacman accepts packages signed by keys that its local keyring + # trusts (see pacman-key and its man page), as well as unsigned packages. + +**Edited Line:** `# SigLevel = Required DatabaseOptional` LocalFileSigLevel = Optional - # RemoteFileSigLevel = Required + # RemoteFileSigLevel = Required - # NOTE: You must run `pacman-key --init` before first using pacman; the local - # keyring can then be populated with the keys of all official Arch Linux - # packagers with `pacman-key --populate archlinux`. + # NOTE: You must run `pacman-key --init` before first using pacman; the local + # keyring can then be populated with the keys of all official Arch Linux + # packagers with `pacman-key --populate archlinux`. - # - # REPOSITORIES - # - can be defined here or included from another file - # - pacman will search repositories in the order defined here - # - local/custom mirrors can be added here or in separate files - # - repositories listed first will take precedence when packages - # have identical names, regardless of version number - # - URLs will have $repo replaced by the name of the current repo - # - URLs will have $arch replaced by the name of the architecture - # - # Repository entries are of the format: - # [repo-name] - # Server = ServerName - # Include = IncludePath - # - # The header [repo-name] is crucial - it must be present and - # uncommented to enable the repo. - # + # + # REPOSITORIES + # - can be defined here or included from another file + # - pacman will search repositories in the order defined here + # - local/custom mirrors can be added here or in separate files + # - repositories listed first will take precedence when packages + # have identical names, regardless of version number + # - URLs will have $repo replaced by the name of the current repo + # - URLs will have $arch replaced by the name of the architecture + # + # Repository entries are of the format: + # [repo-name] + # Server = ServerName + # Include = IncludePath + # + # The header [repo-name] is crucial - it must be present and + # uncommented to enable the repo. + # - # The testing repositories are disabled by default. To enable, uncomment the - # repo name header and Include lines. You can add preferred servers immediately - # after the header, and they will be used before the default mirrors. + # The testing repositories are disabled by default. To enable, uncomment the + # repo name header and Include lines. You can add preferred servers immediately + # after the header, and they will be used before the default mirrors. - # [testing] - # SigLevel = PackageRequired - # Include = /etc/pacman.d/mirrorlist + # [testing] + # SigLevel = PackageRequired + # Include = /etc/pacman.d/mirrorlist [core] + **Edited Line:** `SigLevel = PackageRequired` Include = /etc/pacman.d/mirrorlist [extra] + **Edited Line:** `SigLevel = PackageRequired` Include = /etc/pacman.d/mirrorlist - # [community-testing] - # SigLevel = PackageRequired - # Include = /etc/pacman.d/mirrorlist + # [community-testing] + # SigLevel = PackageRequired + # Include = /etc/pacman.d/mirrorlist [community] + **Edited Line:** `SigLevel = PackageRequired` Include = /etc/pacman.d/mirrorlist - # If you want to run 32 bit applications on your x86_64 system, - # enable the multilib repositories as required here. + # If you want to run 32 bit applications on your x86_64 system, + # enable the multilib repositories as required here. - # [multilib-testing] - # Include = /etc/pacman.d/mirrorlist + # [multilib-testing] + # Include = /etc/pacman.d/mirrorlist - # [multilib] - # Include = /etc/pacman.d/mirrorlist + # [multilib] + # Include = /etc/pacman.d/mirrorlist - # An example of a custom package repository. See the pacman manpage for - # tips on creating your own repositories. - # [custom] - # SigLevel = Optional TrustAll - # Server = file:///home/custompkgs + # An example of a custom package repository. See the pacman manpage for + # tips on creating your own repositories. + # [custom] + # SigLevel = Optional TrustAll + # Server = file:///home/custompkgs [multilib] + **Edited Line:** `SigLevel = PackageRequired` Include = /etc/pacman.d/mirrorlist -**Edited Line:** ` # [qubes]` +**Edited Line:** `# [qubes]` -**Edited Line:** ` # Server = http://olivier.medoc.free.fr/archlinux/pkgs/` +**Edited Line:** `# Server = http://olivier.medoc.free.fr/archlinux/pkgs/` **Add Section Below:** [xyne-x86_64] - # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ - # Packages for the "x86_64" architecture. - # Added for PowerPill app - # Note that this includes all packages in [xyne-any]. + # A repo for Xyne's own projects: http://xyne.archlinux.ca/projects/ + # Packages for the "x86_64" architecture. + # Added for PowerPill app + # Note that this includes all packages in [xyne-any]. SigLevel = Required Server = http://xyne.archlinux.ca/repos/xyne @@ -667,9 +672,9 @@ Note: For info on Reflector and its configs: [Reflector](https://wiki.archlinux. #### **Qubes Mailing List Threads on the Archlinux build process:** #### -* [Qubes-Devel](https://groups.google.com/forum/ # !forum/qubes-devel): [Qubes Builder failed Archlinux repository is missing](https://groups.google.com/forum/#!topic/qubes-devel/tIFkS-rPVx8) +* [Qubes-Devel](https://groups.google.com/forum/#!forum/qubes-devel): [Qubes Builder failed Archlinux repository is missing](https://groups.google.com/forum/#!topic/qubes-devel/tIFkS-rPVx8) -* [Qubes-Users](https://groups.google.com/forum/ # !forum/qubes-users): [Trying to compile archlinux template](https://groups.google.com/forum/#!topic/qubes-users/7wuwr3LgkQQ) +* [Qubes-Users](https://groups.google.com/forum/#!forum/qubes-users): [Trying to compile archlinux template](https://groups.google.com/forum/#!topic/qubes-users/7wuwr3LgkQQ)
From f4436afe3cc00f6da9eba4b5b23f3931f122c4d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 6 Mar 2016 00:12:01 +0100 Subject: [PATCH 29/37] Add UEFI troubleshooting guide --- doc.md | 1 + installing/uefi-troubleshooting.md | 46 ++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 installing/uefi-troubleshooting.md diff --git a/doc.md b/doc.md index 36a501a9..950fefce 100644 --- a/doc.md +++ b/doc.md @@ -140,6 +140,7 @@ Troubleshooting * [Solving problems with Macbook Air 2012](https://groups.google.com/group/qubes-devel/browse_thread/thread/b8b0d819d2a4fc39/d50a72449107ab21#8a9268c09d105e69) * [Getting Sony Vaio Z laptop to work with Qubes](/doc/sony-vaio-tinkering/) * [Getting Lenovo 450 to work with Qubes](/doc/lenovo450-tinkering/) + * [Troubleshooting UEFI related problems](/doc/uefi-troubleshooting/) Reference Pages diff --git a/installing/uefi-troubleshooting.md b/installing/uefi-troubleshooting.md new file mode 100644 index 00000000..4e18e2f8 --- /dev/null +++ b/installing/uefi-troubleshooting.md @@ -0,0 +1,46 @@ +--- +layout: doc +title: UEFI Troubleshooting +permalink: /doc/uefi-troubleshooting/ +--- + +Troubleshooting UEFI related problems +======================================== + + + +Cannot start installation, it hangs after GRUB menu ("Test media and install Qubes OS") +--------------------- + +There is some [common bug in UEFI implementation](http://xen.markmail.org/message/f6lx2ab4o2fch35r), affecting mostly Lenovo systems, but probably some others too. You can try existing workaround: + +1. In GRUB menu press `e`. +2. At the end of `chainloader` line add `/mapbs /noexitboot`. +3. Perform installation normally, but not reboot system at the end yet. +4. Go to `tty2` (Ctrl-Alt-F2). +5. Execute `mount | grep boot/efi` and note device name (first column). It should be something like `/dev/sda1`. +6. Execute `efibootmgr -v`, search for `Qubes` entry and note its number (it should be something like `Boot0001` - `0001` is an entry number). +7. Replace existing `Qubes` entry with modified one. Replace `XXXX` with entry number from previous step, `/dev/sda` with your disk name and `-p 1` with `/boot/efi` partition number): + + efibootmgr -b XXXX -B + efibootmgr -v -c -u -L Qubes -l /EFI/qubes/xen.efi -d /dev/sda -p 1 "placeholder /mapbs /noexitboot" + +8. Compare new entry with the old one (printed in step 6) - it should only differ in additional options at the end. +9. Now you can reboot the system by issuing `reboot` command. + + +System crash/restart when booting installer +------------------------------------------- + +Some Dell systems and probably others have [another bug in UEFI firmware](http://markmail.org/message/amw5336otwhdxi76). And there is another workaround for it: + + +1. In GRUB menu press `e`. +2. At the end of `chainloader` line add `-- efi=attr=uc`. +3. Perform installation normally, but not reboot system at the end yet. +4. Go to `tty2` (Ctrl-Alt-F2). +5. Execute: + + sed -i -e 's/^options=.*/\0 efi=attr=uc' /mnt/sysimage/boot/efi/qubes/xen.cfg + +6. Now you can reboot the system by issuing `reboot` command. From 3099d7149f7b4b6266e6b7d25cbc31d79407f6f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 6 Mar 2016 00:12:18 +0100 Subject: [PATCH 30/37] Add disclaimer to certified laptops page --- hardware/certified-laptops.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hardware/certified-laptops.md b/hardware/certified-laptops.md index d1149e90..7d0867ce 100644 --- a/hardware/certified-laptops.md +++ b/hardware/certified-laptops.md @@ -11,6 +11,9 @@ Qubes-certified laptops are laptops that have been tested by the Qubes developer We aim to partner with a few select computer makers to ensure that Qubes is compatible with them, so that new users have clear path towards getting started with Qubes if they desire. We aim for these makers to be as diverse as possible in terms of geography, cost, and availability. +Note that we certify only that particular configuration is supported by Qubes +OS. We take no responsibility for our partners shipping process - including +the hardware will not being modified in any way (malicious or not). Purism Librem 13 ---------------------------- From 60ad631614a24e07014c8a437c6515f33b300da2 Mon Sep 17 00:00:00 2001 From: Axon Date: Tue, 8 Mar 2016 21:50:31 +0000 Subject: [PATCH 31/37] Update content and clean up formatting * Add additional useful commands * Add link to /doc/code-signing/ * Clean up grammar and wording * Use reference-style links * Wrap lines --- developers/source-code.md | 67 +++++++++++++++++++++++++++++---------- 1 file changed, 50 insertions(+), 17 deletions(-) diff --git a/developers/source-code.md b/developers/source-code.md index 42082921..6c4a9070 100644 --- a/developers/source-code.md +++ b/developers/source-code.md @@ -11,16 +11,17 @@ redirect_from: Qubes Source Code Repositories ============================== -All the Qubes code is kept in GIT repositories. We divided the project into several components, each of which has its own separate repository, some of them: +All the Qubes code is kept in Git repositories. We have divided the project into +several components, each of which has its own separate repository, for example: -- `core-admin.git` -- the core Qubes infrastructure responsible for VM management, VM templates, fs sharing, etc. -- `gui-daemon.git` -- GUI virtualization, Dom0 side. -- `gui-agent-linux.git` -- GUI virtualization, Linux VM side. -- `linux-template-builder.git` - scripts and other files used to create Qubes templates images. + * `core-admin.git` -- The core Qubes infrastructure, responsible for VM + management, VM templates, fs sharing, etc. + * `gui-daemon.git` -- GUI virtualization, Dom0 side. + * `gui-agent-linux.git` -- GUI virtualization, Linux VM side. + * `linux-template-builder.git` -- Scripts and other files used to create Qubes + template images. -You can browse the repositories [online on -GitHub](https://github.com/QubesOS/). The Qubes official repositories are on -this `QubesOS` github account. +All of our repositories are available under the [QubesOS GitHub account]. To clone a repository: @@ -34,15 +35,47 @@ e.g.: git clone git://github.com/QubesOS/qubes-core-admin.git core-admin ~~~ -## Sending a patch +To clone **all** of our repositories in a single command: -If you want to contribute to the project, there are two ways: +~~~ +curl "https://api.github.com/orgs/QubesOS/repos?page=1&per_page=100" | grep -e 'git_url*' | cut -d \" -f 4 | xargs -L1 git clone +~~~ -* **Preferred**: Use github [fork & pull requests](https://guides.github.com/activities/forking/) -* Sending a patch via the project's mailing list (`git format-patch`). +To update (git fetch) **all** of these repositories in a single command: + +~~~ +find . -mindepth 1 -maxdepth 1 -type d -exec git -C {} fetch --tags --recurse-submodules=on-demand --all \; +~~~ + +(Alternatively, you can pull instead of just fetching.) + + +How to Send Patches +------------------- + +If you want to contribute code to the project, there are two ways. Whichever +method you choose, you must [sign your code] before it can be accepted. + +* **Preferred**: Use GitHub's [fork & pull requests]. +* Send a patch to our developer [mailing list] (`git format-patch`). + + 1. Make all the changes in your working directory, i.e. edit files, move them + around (you can use 'git mv' for this), etc. + 2. Add the changes and commit them (`git add`, `git commit`). Never mix + different changes into one commit! Write a good description of the commit. + The first line should contain a short summary, and then, if you feel like + more explanations are needed, enter an empty new line, and then start the + long, detailed description (optional). + 3. Test your changes NOW: check if RPMs build fine, etc. + 4. Create the patch using `git format-patch`. This has an advantage over + `git diff`, because the former will also include your commit message, your + name and email, so that *your* name will be used as a commit's author. + 5. Send your patch to `qubes-devel`. Start the message subject with + `[PATCH]`. + + +[QubesOS GitHub account]: https://github.com/QubesOS/ +[sign your code]: /doc/code-signing/ +[fork & pull requests]: https://guides.github.com/activities/forking/ +[mailing list]: /doc/mailing-lists/ - 1. Make all the changes in your working directory, i.e. edit files, move them around (you can use 'git mv' for this), etc. - 2. Add the changes and commit them (git add, git commit). Never mix different changes into one commit! Write a good description of the commit. The first line should contain a short summary, and then, if you feel like more explanations are needed, enter an empty new line, and then start the long, detailed description (optional). - 3. Test your changes NOW: check if RPMs build fine, etc. - 4. Create the patch using 'git format-patch'. This has an advantage over 'git diff', because the former will also include your commit message, your name and email, so that \*your\* name will be used as a commit's author. - 5. Send your patch to qubes-devel. Start the message subject with the '[PATCH]' string. From 8d7e3cd61a7e6ef68ea6b940a6e4afbd5ba55e38 Mon Sep 17 00:00:00 2001 From: Axon Date: Tue, 8 Mar 2016 21:52:35 +0000 Subject: [PATCH 32/37] Create code-signing.md This document briefly explains how to get started with cryptographically signing source code contributions. --- developers/code-signing.md | 139 +++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 developers/code-signing.md diff --git a/developers/code-signing.md b/developers/code-signing.md new file mode 100644 index 00000000..eb656ead --- /dev/null +++ b/developers/code-signing.md @@ -0,0 +1,139 @@ +--- +layout: doc +title: Code Signing +permalink: /doc/code-signing/ +--- + +Code Signing +============ + +All contributions to the Qubes OS [source code] must be cryptographically signed +by the author's PGP key. + + +Generating a Key +---------------- + +(Note: If you already have a PGP key, you may skip this step.) + +Alex Cabal has written an excellent [guide] on creating a PGP keypair. +Below, we reproduce just the minimum steps in generating a keypair using GnuPG. +Please read Cabal's full guide for further important details. + +~~~ +$ gpg --gen-key +gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +Please select what kind of key you want: + (1) RSA and RSA (default) + (2) DSA and Elgamal + (3) DSA (sign only) + (4) RSA (sign only) +Your selection? 1 + +RSA keys may be between 1024 and 4096 bits long. +What keysize do you want? (2048) 4096 + +Requested keysize is 4096 bits +Please specify how long the key should be valid. + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +Key is valid for? (0) 0 + +Key does not expire at all +Is this correct? (y/N) y + + +You need a user ID to identify your key; the software constructs the user ID +from the Real Name, Comment and E-mail Address in this form: + "Heinrich Heine (Der Dichter) " + +Real name: Bilbo Baggins + +E-mail address: bilbo@shire.org + +Comment: +You selected this USER-ID: + "Bilbo Baggins " + +Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O + +You need a Passphrase to protect your secret key. + + + +gpg: key 488BA441 marked as ultimately trusted +public and secret key created and signed. + +gpg: checking the trustdb +gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model +gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u +pub 4096R/488BA441 2013-03-13 + Key fingerprint = B878 1FB6 B187 B94C 3E52 2AFA EB1D B79A 488B A441 +uid Bilbo Baggins +sub 4096R/69B0EA85 2013-03-13 +~~~ + + +Using PGP with Git +------------------ + +If you're submitting a patch via GitHub (or a similar Git server), please sign +your Git commits. + +1. Set up Git to use your key: + + ~~~ + git config --global user.signingkey + ~~~ + +2. Set up Git to sign your commits with your key: + + ~~~ + git config --global commit.gpgsign true + ~~~ + + Alternatively, manually specify when a commit is to be signed: + + ~~~ + commit -S + ~~~ + +3. (Optional) Create signed tags: + + ~~~ + git tag -s -m "" + ~~~ + + You can also create an alias to make this easier: + + ~~~ + stag = "!id=`git rev-parse --verify HEAD`; git tag -s tag_for_${id:0:8} -m \"Tag for commit $id\"" + ~~~ + + You may also find it convenient to have an alias for verifying the tag on the + latest commit: + + ~~~ + vtag = !git tag -v `git describe` + ~~~ + + +Using PGP with Email +-------------------- + +If you're submitting a patch via email (to the developer [mailing list]), simply +sign your email with your PGP key. (One good way to do this is with a program +like [Enigmail].) + + +[guide]: https://alexcabal.com/creating-the-perfect-gpg-keypair/ +[source code]: /doc/source-code/ +[mailing list]: /doc/mailing-lists/ +[Enigmail]: https://www.enigmail.net/ + From 06b3f7af831d48d07f8b3c64068b57813a819eaf Mon Sep 17 00:00:00 2001 From: Axon Date: Tue, 8 Mar 2016 21:55:28 +0000 Subject: [PATCH 33/37] Add code-signing.md to ToC and sort entries --- doc.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc.md b/doc.md index 950fefce..f3620e78 100644 --- a/doc.md +++ b/doc.md @@ -156,12 +156,13 @@ For Developers -------------- * [System Documentation](/doc/system-doc/) * [Developers' FAQ](/doc/devel-faq/) - * [How to Contribute to the Qubes OS Project](/doc/contributing/) * [Reporting Security Issues](/security/) * [Reporting Bugs](/doc/reporting-bugs/) * [Source Code](/doc/source-code/) + * [How to Contribute to the Qubes OS Project](/doc/contributing/) + * [Coding Guidelines](/doc/coding-style/) + * [Code Signing](/doc/code-signing/) * [Qubes OS Version Scheme](/doc/version-scheme/) * [Supported Versions](/doc/supported-versions/) - * [Coding Guidelines](/doc/coding-style/) * [Books for Developers](/doc/devel-books/) * [Qubes OS License](/doc/license/) From 509ab60255cd88baeaaf8cfc2e5e299560d7413c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 9 Mar 2016 19:45:06 +0100 Subject: [PATCH 34/37] Remove experimental notice from 3.0->3.1 upgrade instruction --- installing/upgrade-to-r3.1.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/installing/upgrade-to-r3.1.md b/installing/upgrade-to-r3.1.md index 136b3088..c8763d08 100644 --- a/installing/upgrade-to-r3.1.md +++ b/installing/upgrade-to-r3.1.md @@ -11,8 +11,6 @@ redirect_from: Upgrading Qubes R3.0 to R3.1 ====================================== -**Caution: The procedure to upgrade from R3.0 to R3.1 is experimental!** - **Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users [back up their systems](/doc/backup-restore/).** From f08f590459f490dc5e5af057381610992af1b7b1 Mon Sep 17 00:00:00 2001 From: Axon Date: Thu, 10 Mar 2016 00:23:49 +0000 Subject: [PATCH 35/37] Clean up and update installation guide --- installing/installation-guide.md | 95 +++++++++++++++++++++----------- 1 file changed, 62 insertions(+), 33 deletions(-) diff --git a/installing/installation-guide.md b/installing/installation-guide.md index fafe3710..8673603e 100644 --- a/installing/installation-guide.md +++ b/installing/installation-guide.md @@ -17,68 +17,97 @@ redirect_from: --- Installation Guide -======================================== - -1. [Hardware Requirements](#hardware-requirements) -2. [Download installer ISO](#download-installer-iso) -3. [Burning the ISO onto a DVD or USB stick](#burning-the-iso-onto-a-dvd-or-usb-stick) -4. [Upgrading](#upgrading) -5. [Troubleshooting problems with the installer](#troubleshooting-problems-with-the-installer) -6. [Getting Help](#getting-help) +================== Hardware Requirements --------------------- -Please see the [Hardware Compatibility List](/hcl/) page for more information on required and recommended hardware. +Please see the [system requirements] and [Hardware Compatibility List] pages for +more information on required and recommended hardware. -Note: We don't recommend installing Qubes in a virtual machine! It will likely not work. Don't send emails asking about it. However, you can install it on an external USB hard drive and run from it, at least for testing (normally such disks are *orders* of magnitude slower than even the slowest internal hard drives). +**Note:** We don't recommend installing Qubes in a virtual machine! It will +likely not work. Please don't send emails asking about it. You can, however, +install it on an external USB hard drive and run from it, at least for testing. +(Bear in mind, however, that such disks are typically *orders* of magnitude +slower than even the slowest internal hard drives). We also have a [live USB] +option (currently in alpha). -Download installer ISO ----------------------- -See [this page](/doc/QubesDownloads/) for ISO downloads. Remember, we have absolutely no control over those servers, and so you should be assuming that they might be compromised, or just be serving a compromised ISOs because their operators decided so, for whatever reason. Always verify the digital signature on the downloaded ISO. See this [page](/doc/verifying-signatures/) for more info about how to download and verify our GPG keys, and then verify the downloaded ISO: +Downloading the ISO +------------------- - gpg -v Qubes-R2-x86_64-DVD.iso.asc +See the [downloads] page for ISO downloads. Remember, we have absolutely +no control over those servers, so you should be assuming that they might be +compromised, or just be serving compromised ISOs because their operators decided +so, for whatever reason. Always verify the digital signature on the downloaded +ISO. Make sure to read our guide on [verifying signatures] for more info about +how to download and verify our PGP keys and verify the downloaded ISO. -Adjust filename to the version you're installing. -Burning the ISO onto a DVD or USB stick ---------------------------------------- +Copying the ISO onto the installation medium +-------------------------------------------- -Once you verify this is an authentic ISO, you should burn it on a DVD. +Once you verify this is an authentic ISO, you should copy it onto the +installation medium of your choice, such as a DVD or a USB drive. (Please note +that there are important [security considerations] to keep in mind when choosing +an installation medium.) -If you prefer to use USB as a source for installation, then you just need to copy the ISO onto the USB device, e.g. using dd: +If you prefer to use a USB drive, then you just need to copy the ISO onto the +USB device, e.g. using `dd`: - dd if=Qubes-R2-x86_64-DVD.iso of=/dev/sdX + dd if=Qubes-R3-x86_64.iso of=/dev/sdX -Adjust filename to the version you're installing. **Be sure to use a correct device as the target in the dd command above (instead of sdX)'''** +Adjust the filename to the version you're installing. **Be sure to use the +correct device as the target in the dd command above (instead of `sdX`).** -On windows you can use [Rufus](http://rufus.akeo.ie/) tool. Be sure to select "DD image" mode (you need to do that **after** selecting Qubes iso image): +On Windows, you can use the [Rufus] tool. Be sure to select "DD image" mode (you +need to do that **after** selecting the Qubes ISO): -Before proceeding with the installation, you are encouraged to first read all the information on this page, especially the *Known Issues* paragraph. +Before proceeding with the installation, you are encouraged to first read all +the information on this page. When you're ready, boot your system from the +installation source and follow the on-screen instructions. The installer is very +simple and asks very few questions. (It's actually easier to install Qubes right +now than most other Linux distributions!) -Then, when finally ready, boot your system from the installer DVD and follow the instructions on screen. The installer is very simple and asks very few questions -- it's actually easier to install Qubes right now than most other Linux distributions! +The installer loads Xen right at the beginning, so chances are high that if you +can see the installer's graphical screen, Qubes will work on your system. :) -The installer loads Xen right at the beginning, so chances are high that if you can see the installer's graphical screen, Qubes will work on your system :) Upgrading --------- -See [release notes](/doc/releases/) of appropriate version. - +For instructions in upgrading an existing installation, please see the **Release +Notes** of the version to which you want to upgrade. All of these release notes +are available from the main [downloads] page. Getting Help ------------ -- **User manuals are [here](/doc/).** (Strongly recommended!) + * We work very hard on making the [documentation] accurate, comprehensive, and + useful. We urge you to read it! It may very well contain the answers to your + questions. (Since the documentation is a community effort, we'd also greatly + appreciate your help in [improving] it!) -- Developers documentation (normally not needed by users) is [here](/doc/system-doc/) + * If you don't find your answer in the documentation, it may be time to consult + the [mailing lists], as well as the many other available sources of [help]. -- If you don't find answer in the sources given above, write to the *qubes-users* mailing list (you don't need to be subscribed to the list, just send email to the address given below): - - [https://groups.google.com/group/qubes-users](https://groups.google.com/group/qubes-users) - - `qubes-users@googlegroups.com` + * Please do not email individual developers (Marek, Joanna, etc.) with + questions about installation or other problems. Please send all such + questions to the appropriate mailing list. + + +[system requirements]: /doc/system-requirements/ +[Hardware Compatibility List]: /hcl/ +[live USB]: /doc/live-usb/ +[downloads]: /downloads/ +[verifying signatures]: /doc/verifying-signatures/ +[security considerations]: /doc/install-security/ +[Rufus]: http://rufus.akeo.ie/ +[documentation]: /doc/ +[improving]: /doc/doc-guidelines/ +[mailing lists]: /doc/mailing-lists/ +[help]: /help/ -- Please do not write email to individual developers (Marek, Joanna, etc) asking questions about installation or other problems. Please send all such questions to the mailing list. From 305ffd0d3c33ba29d71a284cc60e6b06dd098aae Mon Sep 17 00:00:00 2001 From: Axon Date: Thu, 10 Mar 2016 00:29:33 +0000 Subject: [PATCH 36/37] Update Installation Security Considerations --- installing/install-security.md | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/installing/install-security.md b/installing/install-security.md index ba04f219..d41c60f7 100644 --- a/installing/install-security.md +++ b/installing/install-security.md @@ -10,17 +10,19 @@ redirect_from: # Installation Security Considerations # + ## Verifying the Qubes ISO ## -You should [verify][] the PGP signature on your Qubes ISO before you install +You should [verify] the PGP signature on your Qubes ISO before you install from it. However, if the machine on which you attempt the verification process is already compromised, it could falsely claim that a malicious ISO has a good signature. Therefore, in order to be certain that your Qubes ISO is trustworthy, you require a trustworthy machine. But how can you be certain *that* machine is trustworthy? Only by using another trusted machine, and so forth. This is a -[classic problem][trusting-trust]. While various [solutions][countering] have -been proposed, the point is that each user must ultimately make a choice about -whether to trust that a file is non-malicious. +[classic problem]. While various [solutions] have been proposed, the point is +that each user must ultimately make a choice about whether to trust that a file +is non-malicious. + ## Choosing an Installation Medium ## @@ -29,11 +31,12 @@ decided to trust your Qubes ISO. Great! Now you must decide what sort of medium on which to write it so that you can install from it. From a Qubes-specific security perspective, each has certain pros and cons. + ### USB Drives ### Pros: - * Works via USB, including with a [USBVM][]. + * Works via USB, including with a [USB qube]. * Non-fixed capacity. (Easy to find one on which the ISO can fit.) Cons: @@ -45,6 +48,7 @@ Cons: also [compromise the drive][BadUSB]. Installing from a compromised drive could compromise even a brand new Qubes installation.) + ### Optical Discs ### Pros: @@ -71,8 +75,10 @@ Cons: untrusted ISO to dom0 in order to burn it to disc, which leaves only the other two options.) -[verify]: https://www.qubes-os.org/doc/VerifyingSignatures/ -[trusting-trust]: http://www.acm.org/classics/sep95/ -[countering]: http://www.dwheeler.com/trusting-trust/ -[USBVM]: https://www.qubes-os.org/doc/SecurityGuidelines/#creating-and-using-a-usbvm + +[verify]: /doc/verifying-signatures/ +[classic problem]: http://www.acm.org/classics/sep95/ +[solutions]: http://www.dwheeler.com/trusting-trust/ +[USB qube]: /doc/usb/#creating-and-using-a-usb-qube [BadUSB]: https://srlabs.de/badusb/ + From 386fc203b9ad1f0771e0523fd608bd7e578c20d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 10 Mar 2016 02:05:26 +0100 Subject: [PATCH 37/37] Remove testing-repository requirement from 3.0->3.1 upgrade guide Reported by @axon-qubes --- installing/upgrade-to-r3.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installing/upgrade-to-r3.1.md b/installing/upgrade-to-r3.1.md index c8763d08..46917339 100644 --- a/installing/upgrade-to-r3.1.md +++ b/installing/upgrade-to-r3.1.md @@ -36,7 +36,7 @@ section should be repeated in **all** the user's Template and Standalone VMs. 2. Install the `qubes-upgrade-vm` package: - sudo yum install --enablerepo=qubes-vm-r3.0-current-testing qubes-upgrade-vm + sudo yum install qubes-upgrade-vm 3. Proceed with a normal upgrade in the template: