Change the OS used in dom0 #1919
Comments
mfc
added
the
help wanted
andrewdavidwong
added
C: desktop-linux
C: installer
P: major
This comment was marked as outdated.
This comment was marked as outdated.
|
the problem is , why anyone would take fedora which is very known for its issues (from about 2000) and their enterprise lockin on the code (redhat sucking stuff...) ? is there anyone can give me good reasons why taking fedora at the first place ? why not debian ? why not even gentoo (which is regarding of code easiness/freedomcy better than fedora)? im afraid the one who took the first (lets call it "bad") decision is still continuing to take these decisions which will make qubes a disaster even if u shifted to debian or X distro. so i think consultations on these decisions is very important. and fedora to be the core of qubes or any other linux distro is a mistaken step. |
|
Fedora is currently hosting the graphical environment and, like it or
not, it has the best compatibility with graphic cards. Debian generally
has old X drivers and older kernel. This is especialy problematic with
Qubes, because the hardware selection is already constrained by
virtualisation extension.
We will surely consider switching the distro when we implement GUI
domain. It is on out roadmap and depends on GPU passthrough, which
does not currently work, at least not without patching Xen and libvirt.
We this it will be hard enough, and the effort should be directed there.
When switching, it will be neither Fedora nor Debian or any general
purpose distro, but something very minimal, like Alpine.
|
|
What exactly is the issue with GPU passthrough and Xen? |
|
Take a look at this thread - it's a good summary of GPU passthrough and PCI passthrough to HVM at all: https://groups.google.com/d/topic/qubes-devel/mvZBIUuyjv0/discussion |
|
It would be really nice to have a choice here. Like @woju I think it would be best to have a minimal distribution. However it might be nice to try something more declarative like NixOS. I guess you wouldn't want to maintain different distributions, at least not for the official distribution? Do you have an idea how many Fedora specific configuations are in the qubes builder and the applications? |
Exactly.
During the current Fedora 20 -> 23 upgrade I'm trying to collect that list. Actually two lists:
I think the only really Fedora specific thing is update mechanism, other parts are just some system configuration which may need some adjustment when porting to other distribution (like config file locations etc). Yes, we're considering NixOS here, but no decision has been made yet. |
I've got some experience here as I've been running Debian in dom0 for a while. It's an unholy mix of packages, alien and hand crafted stuff,(hand crafted like the Borja Jesus), and not full Qubes. But it works well enough for my slight requirements. I'm hoping that the upgrade to 3.1 will be somewhat closer to full Qubes. It's interesting that @mfc suggests that Debian provides increased hardware compatibility, while @woju says Fedora has best compatibility with graphic cards. Is there any evidence either way? |
|
The Borja jesus 😂 That still sounds somehow encouraging! What are your reasons for prefering Debian on the dom0? I just started using qubes and I had much more experience with Debian, Arch, ... but basically none with Fedora. It took a short while to get accustomed - but in the end it feels all the same with some minor package manager differences. Since qubes takes a more radical approach in general, I think it would also make sense to consider a change to something conceptually "better" or more advanced like nix. |
|
unman, could you please share more details about your setup, maybe even commits? ;-) Are you running this on a jessie based dom0 or stretch? How did you build+install the qubes specific stuff? I'm still pondering doing the same, and looking at the cubes git repos I've identified these as being needed for dom0:
Is that correct? Which are missing? Cause once dom0 is working one should be able to deploy VMs from a backup… ;-) |
|
On Wed, May 18, 2016 at 09:03:43AM -0700, Holger Levsen wrote:
In addition to above:
And mgmt-salt stuff (everything with "base" and "dom0"). Some of them already have debian packaging. Packaging Xen for dom0 would be tricky because of stubdomains. It And template packages needs to be converted to deb. Or not packaged at
Yes, it should be possible. Best Regards, |
|
Marek, thanks for the hints! For a start I don't mind violating Debian policy if needed. That said, while statically linking and embedded code copies are discouraged in general, there are also exceptions to these rules. But really, at first I just want to be able to use a Debian based system as dom0. |
|
@h01ger I'm currently working on 3.1, and trying to do the right thing, packaging properly and (sometimes) using qubes-builder framework, but I have limited time before my next trip. When I have anything sensible to share I will certainly commit, but I'm a way off that at present. When I started there was a clear thought that Qubes would be moving to Debian, and I wanted to see what would be involved. Now, of course, that's no longer the case, so I suspect time is better spent working on Debian issues on the vm side. |
|
I thought one of the main reasons to switch from Fedora to Debian are reproducible builds. Debian made and make a lot of progress in this area. The other question which was discussed before is moving from KDE to GTK (Gnome) for the desktop. @woju proposed above a switch to Alpine Linux. I understand that Alpine Linux has nice security features, but it seems to be a radical switch. A switch to Alpine would be less radical if the management GUI and dom0 would be separated. In the case the separation between GUI and dom0 would be possible and implemented, dom0 would be Alpine, but what about the GUI domain? Why not going step by step. First moving from Fedora to Debian, because of the ability to create reproducible builds. Then moving from KDE to GTK (Gnome). The final step would be to separate Dom0 into separate domains. The management domain would be Alpine whereas the graphical engagement domain would be still Debian. Another good point of @woju is the problem with drivers, older kernel and drivers in Debian. This is true for Debian stable, but Debian has a testing, unstable and experimental repository which contain more up to date packages. Debian and Linux in general has many distribution derivatives. Why not using one of the derivatives which fulfills the requirements:
Tanglu is a distribution which fulfills all the requirements. Tanglu is based on Debian, but uses software packages from testing, unstable and sometimes experimental to provide the newest drivers and other software packages, but is still based on Debian stable. Tanglu has three main editions KDE, GNOME and core. In addition Tanglu uses Calamares the independent system installer. |
|
For reference: |
|
https://wiki.debian.org/Qubes/Devel is the relevant URL for this issue. https://wiki.debian.org/Qubes just describe how to use Qubes from the point of view of someone familar with Debian - and that wiki page is also a bit outdated. |
How did you come to that conclusion?
I don't think Fedora can be as transparent as that. Once one wants to do certain things, one example is #1375 and there are others, one is back to learning about Fedora. Same when issues happen or when debug info is requested. And that probably is not going to go away. Also higher effort for developers to know two systems. For example makes getting grsecurity in Qubes harder since an rpm package / repository is required. |
I think this is also falling into the trap of reinforcing the pre-Qubes status quo, which is "hide context from end users", instead of thinking strategically about what role the user can play. Displaying a timestamp gives us a better chance to defend ourselves. What's concerning is the not-a-nice-UI argument logically leads to this question..... Why use Qubes at all when the user has to use VM context info to decide what is safe? "this is going to end up being ignored or misunderstood by the vast majority of users", right? So I don't think the assumptions used for that argument are compatible with Qubes (because they negate Qubes) and in general I would hope that Debian, Fedora, etc. update their threat models to flesh-out the scenarios being discussed here. Andrew stated:
Yes, these big distros have not fleshed-out their threat models for system updates. That is understandable because the thinking is so old, practically from a different generation when certain classes of threats (or threat actors) were not taken seriously. Another suggestion: Don't cling to the idea that sneakernet and cherry-picked installs have to provide the smoothest verification path. Best practices should not be bent around that expectation. It would be healthier to show a warning and/or require a |
|
@DonKult: Thank you very much for the detailed response. I apologize that you were summoned here. You're right that I should have asked my questions on the appropriate Debian mailing list instead, but thank you for indulging my curiosity here nonetheless. Apologies to others, as well, if I took us too far afield from the original topic. As many of you have noted, the high-level questions about trust requirements are relevant to this issue, but the fine-grained details about specific package management systems are probably best hashed out elsewhere. 🙂 |
|
@DonKult From what I can tell, the real problem is that the main process puts too much trust in the helper. If the helper is trusted, there is no real point in confining it. If it is not trusted, then the hashes it sends back also cannot be trusted. Instead, the parent process needs to copy the file (since the helper might still have access to the file it just downloaded) and calculate the hash of the copy. |
Don't discount economics: there is no commercial motivation to sign these packages. Red Hat doesn't provide GPG signatures for RHEL ISOs, you verify the ISO checksum by signing into their licensing portal. Red Hat, Ubuntu, and Suse respond to questions about reproducible builds with marketing speak about their secure build process. I'm not proposing some evil conspiracy, I think it is possible to get Fedora and Debian to start signing everything. But either be prepared to volunteer a lot of personal time and effort or find some company that would benefit from this financially and get them to pay for it.
Why would you switch to a distro designed for embedded hardware or building containers? Both distros and hardware manufacturers put in a ton of work into keeping consumer hardware working. You are going to cut off access to a large percentage of hardware and make updates much more risky for end users. |
Indeed. But that just throws Fedora's practices into high relief. Its the odd one out, and the other distros manage just fine signing their metadata. |
|
Hope I don't crowd this already crowded topic too much. Thought I'd pull up this overview from a while back: I'll repeat part of it here: competing+conflicting criteria for dom0. (In parentheses, distro(s) that do(es) each thing well.):
It's been a year and Debian seems like one obvious choice. The only major downsides seem to be the difficulty in making the switch from Fedora (retooling Qubes); and the fact that transactional upgrades (ostree) won't be coming. Yocto was also mentioned but this seems like it might be a more long-term goal? Seems like ad-hoc configurability in dom0 is still going to be useful for the near future. (Until maybe dom0 is further atomized/decomposed.) Either Debian or CentOS + some kind of ostree layer (even a Qubes-custom layer) might be interesting. Not sure how feasible coding an ostree layer for Debian would be. EndlessOS has coded a very rudimentary ostree layer for Debian. (But it doesn't include package layering like Fedora Silverblue.) CentOS used to have rpm-ostree integration but it has been dropped for future releases. Also, personally I don't know much about CentOS/its community, though others here have spoken favorably about it. |
@fepitre Most of those seem to be related to documentation, which we don’t need to build in dom0. |
|
While sphinx indeed is about documentation, it is build dependencies of some packages. So yes, we do need those packages in dom0 (build) environment, even if not installed in the target system. I don't think excluding (for example) qvm-* tools man pages from dom0 packages is a good idea - if anything, we have too little documentation available in the system, not to much. But also, it doesn't seem to me that "most" is related to documentation. While some of the packages in "epel-8-python38" repo are about sphinx, it doesn't look to be even half of it. And in "epel-8-qubes" repository I see at most one package related to the documentation. |
|
How difficult would it be for us to build the remaining packages ourselves? |
I've started to wrote some tool to ease Fedora/CentOS src package -> Qubes src package. According to CentOS git, there is packages that are now in CentOS 8 beta which would help us a little bit but still, it would remain something like one month of work to have dom0 under CentOS8 which is not in our possibilities currently. |
Except for this quick mention, no one took up the question of Gentoo. I may not be the most educated in regard to security matters, but I do see that Gentoo is compatible with Xen, it has a Hardened version, and it being compiled from sources, would be optimized for the platform. As a rolling release, it would make Qubes much easier to upgrade, as it would only be the VM's with point releases. This is a bit OT, but I might also ask why sys-firewall isn't something like pfsense/OPNsense (BSD based) or IPFire (Linux based). Or if you want more full-blown options, there are the CentOS based NethServer or Koozali. These are built to purpose and offer all kinds of relevant software from bonding multiple WANs to IDS's like Snort or Suricata. |
|
It might not be great for productivity to mix up discussions on:
A good question to ask for any proposed Linux distribution in my opinion is:
And if the answer is no: that distribution is unstable. May also also suggest to develop a list of generic criteria before reviewing specific Linux distributions? For inspiration, see Criteria for Choosing a Base Distribution. On Gentoo / Hardened Gentoo... Quote https://www.whonix.org/wiki/Dev/Operating_System#Gentoo_.2F_Hardened_Gentoo
|
|
@adrelanos - Thank you. That explains the situation with Gentoo. I appreciate your patience. At risk of taxing it, I will ask if any consideration have been given to the use of a BSD for Dom0? I see at least two are compatible with Xen, but there has been no mention at all on this thread. |
|
Please, let's try to limit further comments on this issue to only what is essential for developers to do their work. qubes-issues is not intended to be a discussion forum, and this issue is getting too big to be helpful to the developers. If anyone wants to ask questions for their own understanding or have a more general discussion about these topics, please take it to the appropriate mailing list. |
andrewdavidwong
added
C: core
T: enhancement
|
Could @mfc or one of the admins edit the OP to link to the Alt Distro in dom0 forum post and close|lock this ticket? I think it's outlived its usefulness. |
|
Marek (2016):
out of curiosity, I assume this was rejected at the time, but could you say why? |
and others
We have discussed this numerous times but don't have an issue to track these discussions. It would be worth understanding what would be needed to change dom0 from Fedora to Debian (say Debian 8). Benefits include:
This ticket does not encompass modifying the desktop environment.
The text was updated successfully, but these errors were encountered: