/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement qrexec service for installing template images #1705

Closed
marmarek opened this Issue Jan 29, 2016 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@marmarek @jpouellet @andrewdavidwong
@marmarek
Member

marmarek commented Jan 29, 2016

Currently the only way to install new template is to use qubes-dom0-update tool. This means the package needs to be built and signed by ITL.
It would be good to provide a tool (qrexec service) to create new templates from 3rd party sources. The template image itself (root.img) is not trusted by dom0 in any way, so it would not compromise whole system security (contrary to rpm installed in dom0, which can do anything).
AppVMs based on some template do trust its root.img, but it's up to the user which VMs will use such template.

Then, having such service, it will be possible to write a tool (running in some VM), which would download the image, verify its checksum/signature and transfer to dom0. Optionally first converting the image to "raw" format from something else (vmdk, vdi, qcow2 etc).

Such template should have PVGrub set as a kernel by default, so the template will be able to use whatever kernel it want. Including non-Linux one: MirageOS, FreeBSD etc.

In R4.0, we will have tags for VMs, so such template should be tagged as imported and imported-from-VMNAME (where VMNAME is a name of VM which sent that image). Related to #1637

@marmarek marmarek added enhancement C: core P: major release-notes labels Jan 29, 2016

@marmarek marmarek added this to the Release 3.1 milestone Jan 29, 2016

@marmarek marmarek modified the milestones: Release 3.1, Release 3.1 updates Feb 8, 2016

andrewdavidwong added a commit that referenced this issue May 31, 2016

@andrewdavidwong
Track #1705
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: DB4DD3BC39503030 Learn about signing commits
e43f93b
@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet May 26, 2017

Contributor

Would this be resolved by QubesOS/qubes-doc@7ec63f5?

Also, XREF #2634 since I hadn't noticed this before.
Contributor

jpouellet commented May 26, 2017
edited
Edited 1 time
  • @jpouellet jpouellet edited May 26, 2017 (most recent)

Would this be resolved by QubesOS/qubes-doc@7ec63f5?

Also, XREF #2634 since I hadn't noticed this before.

jpouellet referenced this issue in QubesOS/qubes-doc May 26, 2017

@marmarek
mgmt1: add volume.Import method 
This will allow importing full VM through the Admin API. Important for
"VM import" feature (QubesOS/qubes-issues#2634) and "paranoid backup
restore" (QubesOS/qubes-issues#2737).
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: F32894BE9684938A Learn about signing commits
7ec63f5

@andrewdavidwong andrewdavidwong modified the milestones: Release 3.1 updates, Release 3.2 updates May 31, 2017

@marmarek marmarek modified the milestones: Release 3.2 updates, Release 4.0 Mar 17, 2018

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 17, 2018

Member

Admin API covers all of this. It is already possible to install qubes-template-* rpm package from a VM (having appropriate Admin API access). Some nicer UI could be useful, but that's #2534
Member

marmarek commented Mar 17, 2018

Admin API covers all of this. It is already possible to install qubes-template-* rpm package from a VM (having appropriate Admin API access). Some nicer UI could be useful, but that's #2534

@marmarek marmarek closed this Mar 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment