Consider adding option 'none' to set Default NetVM

[entr0py]

Qubes 3.1 currently auto-starts the Default NetVM.

If whonix-gw is the default NetVM and there are proxyVM(s) that whonix-gw is connected to, then the entire chain will start at boot. This behavior is undesirable if certain vm's need to be initialized prior to receiving connected vm's. Setting default NetVM to another VM such as sys-net presents privacy risks so is not an acceptable workaround.

[andrewdavidwong]

Quoting Marek:

"The default netvm is started by qubes-netvm dom0 service. If you don't want that, simply disable the service."

Source: https://groups.google.com/d/msg/qubes-users/8dya28aBpko/9vYJN6uRZFQJ

Does this resolve the issue?

[andrewdavidwong]

Quoting Marek:

"The default netvm is started by qubes-netvm dom0 service. If you don't want that, simply disable the service."

Source: https://groups.google.com/d/msg/qubes-users/8dya28aBpko/9vYJN6uRZFQJ

Does this resolve the issue?

[entr0py]

Yes, thank you.

[entr0py]

Yes, thank you.

[entr0py]

Since I've disabled qubes-netvm.service, I'm unable to automatically start ANY vm's. Is there a service that requires After=qubes-netvm.service?

If this result is expected, I'd like to reopen this issue. I think it's useful to be able to auto start sys-net, sys-usb, etc without launching a chain of proxyVMs / whonix-gateway.

[entr0py]

Since I've disabled qubes-netvm.service, I'm unable to automatically start ANY vm's. Is there a service that requires After=qubes-netvm.service?

If this result is expected, I'd like to reopen this issue. I think it's useful to be able to auto start sys-net, sys-usb, etc without launching a chain of proxyVMs / whonix-gateway.

[entr0py]

grep shows that both qubes-vm@.service and qubes-reload-firewall@.service come After=qubes-netvm.service. I don't know what these do yet.

edit: So qubes-vm@.service IS responsible for auto-starting vm's that are not related to the default netVM. Hacky thing would be to change qubes-vm & qubes-reload-firewall to start where qubes-netvm would normally start. but that's probably more tinkering than I should do. Would be nicer to have "none" option in Qubes Manager!

[entr0py]

grep shows that both qubes-vm@.service and qubes-reload-firewall@.service come After=qubes-netvm.service. I don't know what these do yet.

edit: So qubes-vm@.service IS responsible for auto-starting vm's that are not related to the default netVM. Hacky thing would be to change qubes-vm & qubes-reload-firewall to start where qubes-netvm would normally start. but that's probably more tinkering than I should do. Would be nicer to have "none" option in Qubes Manager!

[tasket]

This could be considered a security issue:

A user that does not want a netvm starting at boot time may be concerned that a likely-compromised netvm would send tracking info via nearby wifi routers. Turning-on the generally untrusted NICs automatically could be a bad idea for some users. They should have the option of disabling it without sacrificing system usability.

[tasket]

This could be considered a security issue:

A user that does not want a netvm starting at boot time may be concerned that a likely-compromised netvm would send tracking info via nearby wifi routers. Turning-on the generally untrusted NICs automatically could be a bad idea for some users. They should have the option of disabling it without sacrificing system usability.

[andrewdavidwong]

@tasket: The issue you describe should be addressed by #2533 (or perhaps this one in combination with #2533).

[andrewdavidwong]

@tasket: The issue you describe should be addressed by #2533 (or perhaps this one in combination with #2533).

[marmarek]

Done.

[marmarek]

Done.