/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DispVM changes in Qubes 4.0 #2253

Closed
marmarek opened this Issue Aug 16, 2016 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
1 participant
@marmarek
@marmarek
Member

marmarek commented Aug 16, 2016
edited
Edited 1 time
  • @marmarek marmarek edited Jul 31, 2017 (most recent)

This ticket is for tracking DispVM changes in Qubes 4.0:

  • Modify qrexec policy to allow express "DispVM based on X", not only
    "DispVM" by adding "$dispvm:vmname" option. Have "$dispvm" mean "default
    DispVM", not "any DispVM".
  • Move target VM choice from calling VM to dom0, based on qrexec policy and user choice (#910)
  • Add ability to specify default target VM for given service and source VM (optional for 4.0?)
  • Inherit all the VM settings from DispVM base VM, instead of calling VM (including label and netvm)
  • Start DispVM the same way as other VMs - do not use savefile (unfortunate effect of lack of manpower and #2185)

References:

@marmarek marmarek added C: core task labels Aug 16, 2016

@marmarek marmarek added this to the Release 4.0 milestone Aug 16, 2016

marmarek added a commit to marmarek/qubes-linux-utils that referenced this issue Aug 16, 2016

@marmarek
initramfs: use thin-pool on volatile.img instead of static partitions… 
… (WIP)

This allows much more flexibility in space usage. The most important use
case if DispVM in Qubes 4.0, where both root and private images should
have CoW layer applied.
This will also ease having completely encrypted volatile.img
(QubesOS/qubes-issues#904).

This is only partial implementation, missing parts:
 - fstab adjustments (swap now on /dev/mapper/dmswap instead of
   /dev/xvdc1)
 - private.img mounting adjustments (possibly /dev/mapper/dmprivate
   instead of directly /dev/xvdb)
 - only "simple" implementation for dracut modified, others (full
   dracut module and debian initramfs) not touched

Also this new approach takes longer to setup - 0.6s vs 0.3s (on some
arbitrary hardware).

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
c444fa8
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Aug 16, 2016

Member

Some naive benchmark of non-savefile based DispVM:

  • Qubes 3.2, savefile based DispVM startup, with savefile generation: 25.5s
  • Qubes 3.2, savefile based DispVM startup, without savefile generation: 4s
  • Qubes 4.0, non-savefile based DispVM startup: 9.5s

Test done calling time qvm-run --dispvm date from a VM. Starting some real application will take some more time, but probably will take the same time regardless of DispVM startup method.
Tests done on Librem 13, with SSD disk.
Member

marmarek commented Aug 16, 2016

Some naive benchmark of non-savefile based DispVM:

  • Qubes 3.2, savefile based DispVM startup, with savefile generation: 25.5s
  • Qubes 3.2, savefile based DispVM startup, without savefile generation: 4s
  • Qubes 4.0, non-savefile based DispVM startup: 9.5s

Test done calling time qvm-run --dispvm date from a VM. Starting some real application will take some more time, but probably will take the same time regardless of DispVM startup method.
Tests done on Librem 13, with SSD disk.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Aug 16, 2016

Member

Qrexec policy changes documented here: https://www.qubes-os.org/doc/qrexec3/#extra-keywords-available-in-qubes-40-and-later
Member

marmarek commented Aug 16, 2016

Qrexec policy changes documented here: https://www.qubes-os.org/doc/qrexec3/#extra-keywords-available-in-qubes-40-and-later

marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Aug 16, 2016

@marmarek
qubes/dispvm: misc fixes, make it actually working 
- DispVM is no longer a special case for storage
- Add missing 'rw=True' for volatile volume
- Handle storage initialization (copy&paste from AppVM)
- Clone properties from DispVM template

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
ab6f961

marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Aug 16, 2016

@marmarek
qubes: add 'default_dispvm' property - both Qubes and QubesVM 
QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
1a215e4

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Aug 17, 2016

@marmarek
qrexec: add option to wait for VM-VM connection termination 
Normally when qrexec-client setup VM-VM connection it exits
immediatelly. But it may be useful to wait for the connection to
terminate - for example to cleanup DispVM.

qrexec-daemon (the one that allocated vchan port) do receive such
notification, so expose such option to qrexec-client.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
849b295

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Aug 17, 2016

@marmarek
qrexec-policy: prefer using VM objects 
Pass VM object instead of just name - it will make extending much
easier. For example new DispVM handling.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
747dac9

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Aug 17, 2016

@marmarek
qrexec-policy: new DispVM handling - $dispvm:DISP_VM keyword 
Add support for `$dispvm:DISP_VM` syntax in target specification. At the
same time update the code for core3 API for handling DispVMs.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
c539227

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Aug 17, 2016

@marmarek
qrexec-policy: prefer using VM objects 
Pass VM object instead of just name - it will make extending much
easier. For example new DispVM handling.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
6b4896c

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Aug 17, 2016

@marmarek
qrexec-policy: new DispVM handling - $dispvm:DISP_VM keyword 
Add support for `$dispvm:DISP_VM` syntax in target specification. At the
same time update the code for core3 API for handling DispVMs.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
967f3a8

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Aug 17, 2016

@marmarek
qrexec-policy: prefer using VM objects 
Pass VM object instead of just name - it will make extending much
easier. For example new DispVM handling.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
f5e7c90

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Aug 17, 2016

@marmarek
qrexec-policy: new DispVM handling - $dispvm:DISP_VM keyword 
Add support for `$dispvm:DISP_VM` syntax in target specification. At the
same time update the code for core3 API for handling DispVMs.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
6a8bdf6

marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Aug 18, 2016

@marmarek
tests: port dispvm tests to core3 API 
Some tests do not apply, as there is no savefile and attributes
propagation is much simpler. Dropped tests:
 - test_000_firewall_propagation
 - test_001_firewall_propagation
 - test_000_prepare_dvm

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
e19df4c

@marmarek marmarek referenced this issue Aug 18, 2016

Closed

(R4.0) Feature parity with R3.1 #1825

12 of 12 tasks complete

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Sep 5, 2016

@marmarek
qrexec-policy: prefer using VM objects 
Pass VM object instead of just name - it will make extending much
easier. For example new DispVM handling.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
009e2e6

marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Sep 5, 2016

@marmarek
qrexec-policy: new DispVM handling - $dispvm:DISP_VM keyword 
Add support for `$dispvm:DISP_VM` syntax in target specification. At the
same time update the code for core3 API for handling DispVMs.

QubesOS/qubes-issues#2253
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
cce22c9

@marmarek marmarek closed this Sep 21, 2016

@marmarek marmarek added the release-notes label Oct 13, 2016

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status May 26, 2017

Closed

core-admin-linux v4.0.0 (r4.0) #57

awokd added a commit to awokd/qubes-doc that referenced this issue Jan 28, 2018

@awokd
Dispvm 4.0 updates 
Sourced primarily from QubesOS/qubes-issues#2253 and https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-devel/UGh8NDdkrXo#!topic/qubes-devel/UGh8NDdkrXo
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
53c8838

@awokd awokd referenced this issue in QubesOS/qubes-doc Jan 28, 2018

Merged

Dispvm 4.0 updates #538

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment