/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rudd-O's Network Server supports PVM. It needs to support HVM #3512

Open
tlaurion opened this Issue Feb 1, 2018 · 5 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.1
2 participants
@tlaurion @andrewdavidwong
@tlaurion
Contributor

tlaurion commented Feb 1, 2018

Qubes OS version:

R3.2, R4.0

Affected TemplateVMs:

Steps to reproduce the behavior:

Only PVM is supported

Expected behavior:

HVM support is needed

Actual behavior:

General notes:

Related issues:

Rudd-O/qubes-network-server#4

@tlaurion tlaurion changed the title from Rudd-o's Network Server needs to support HVM to Rudd-O's Network Server supports PVM. It needs to support HVM Feb 1, 2018

@andrewdavidwong andrewdavidwong added enhancement C: other labels Feb 2, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.1 milestone Feb 2, 2018

andrewdavidwong added a commit that referenced this issue Feb 2, 2018

@andrewdavidwong
Merge branch 'tlaurion-patch-2' into gh-pages 
Tracks #3512
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: 8CE137352A019A17 Learn about signing commits
630c052
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Feb 2, 2018

Member

FYI @Rudd-O.
Member

andrewdavidwong commented Feb 2, 2018

FYI @Rudd-O.
@tlaurion

This comment has been minimized.

Show comment
Hide comment
@tlaurion

tlaurion Feb 7, 2018

Contributor

From : https://groups.google.com/forum/m/#!msg/qubes-users/sNjucuuiCcQ/UyNAnHKjAAAJ

Thank you for opening the ticket. It may be difficult for me to adapt
to 4.0, so I kindly request anyone with the required skillset to send a
pull request adapting it to 4.0.

--
Rudd-O
http://rudd-o.com/
Contributor

tlaurion commented Feb 7, 2018

From : https://groups.google.com/forum/m/#!msg/qubes-users/sNjucuuiCcQ/UyNAnHKjAAAJ

Thank you for opening the ticket. It may be difficult for me to adapt
to 4.0, so I kindly request anyone with the required skillset to send a
pull request adapting it to 4.0.

--
Rudd-O
http://rudd-o.com/
@tlaurion

This comment has been minimized.

Show comment
Hide comment
@tlaurion

tlaurion Feb 9, 2018

Contributor

@jpouellet @andrewdavidwong @marmarek @Rudd-O

What part changed in Qubes so that the theory of application is invalid in Qubes4 and HVM?

Theory of operation
Qubes OS relies on layer 3 (IP) routing. VMs in its networked tree send traffic through their default route interfaces, which upstream VMs receive and masquerade out of their own default route interfaces.

Qubes network server slightly changes this when a networked VM — a VM which has had its static_ip attribute set with qvm-static-ip — exists on the networked tree. As soon as a networked VM boots up, Qubes network server:

sets a static /32 route on every upstream VM to the networked VM's static IP, directing the upstream VMs to route traffic for that IP to their VIFs where they may find the networked VM
enables ARP neighbor proxying for the static IP on every upstream VM, such that every upstream VM announces itself to their own upstream VMs (and LAN, in the case of NetVMs) as the networked VM
sets firewall rules on every upstream VM that allow normal non-masquerading forwarding to and from the IP of the networked VM
(depending on the Qubes firewall policy of the networked VM) sets rules on every upstream ProxyVM that allow for certain classes of inbound traffic
(depending on the Qubes firewall policy of the networked VM) sets rules directly on the networked VM that allow for certain classes of inbound traffic
Contributor

tlaurion commented Feb 9, 2018
edited
Edited 2 times
  • @tlaurion tlaurion edited Feb 18, 2018 (most recent)
  • @tlaurion tlaurion edited Feb 18, 2018

@jpouellet @andrewdavidwong @marmarek @Rudd-O

What part changed in Qubes so that the theory of application is invalid in Qubes4 and HVM?

Theory of operation
Qubes OS relies on layer 3 (IP) routing. VMs in its networked tree send traffic through their default route interfaces, which upstream VMs receive and masquerade out of their own default route interfaces.

Qubes network server slightly changes this when a networked VM — a VM which has had its static_ip attribute set with qvm-static-ip — exists on the networked tree. As soon as a networked VM boots up, Qubes network server:

sets a static /32 route on every upstream VM to the networked VM's static IP, directing the upstream VMs to route traffic for that IP to their VIFs where they may find the networked VM
enables ARP neighbor proxying for the static IP on every upstream VM, such that every upstream VM announces itself to their own upstream VMs (and LAN, in the case of NetVMs) as the networked VM
sets firewall rules on every upstream VM that allow normal non-masquerading forwarding to and from the IP of the networked VM
(depending on the Qubes firewall policy of the networked VM) sets rules on every upstream ProxyVM that allow for certain classes of inbound traffic
(depending on the Qubes firewall policy of the networked VM) sets rules directly on the networked VM that allow for certain classes of inbound traffic

@tlaurion tlaurion referenced this issue Feb 15, 2018

Closed

Cannot change revisions_to_keep for a storage pool #3256

@tlaurion

This comment has been minimized.

Show comment
Hide comment
@tlaurion

tlaurion Feb 18, 2018

Contributor

@marmarek @Rudd-O @andrewdavidwong @jpouellet @lamuse: Any documentation pointing to how to recreate a proper development environment to develop tools destined for dom0? I can't believe that the only solution in porting to the new qubesadmin api is to repackage and deploy!?
Contributor

tlaurion commented Feb 18, 2018

@marmarek @Rudd-O @andrewdavidwong @jpouellet @lamuse: Any documentation pointing to how to recreate a proper development environment to develop tools destined for dom0? I can't believe that the only solution in porting to the new qubesadmin api is to repackage and deploy!?
@tlaurion

This comment has been minimized.

Show comment
Hide comment
@tlaurion

tlaurion Feb 19, 2018

Contributor

Found it.

https://www.qubes-os.org/doc/development-workflow/
Contributor

tlaurion commented Feb 19, 2018

Found it.

https://www.qubes-os.org/doc/development-workflow/

This was referenced Feb 23, 2018

Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment