Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement qrexec service for installing template images #1705

Closed
marmarek opened this issue Jan 29, 2016 · 2 comments
Closed

Implement qrexec service for installing template images #1705

marmarek opened this issue Jan 29, 2016 · 2 comments
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Release 4.0

Comments

@marmarek
Copy link
Member

Currently the only way to install new template is to use qubes-dom0-update tool. This means the package needs to be built and signed by ITL.
It would be good to provide a tool (qrexec service) to create new templates from 3rd party sources. The template image itself (root.img) is not trusted by dom0 in any way, so it would not compromise whole system security (contrary to rpm installed in dom0, which can do anything).
AppVMs based on some template do trust its root.img, but it's up to the user which VMs will use such template.

Then, having such service, it will be possible to write a tool (running in some VM), which would download the image, verify its checksum/signature and transfer to dom0. Optionally first converting the image to "raw" format from something else (vmdk, vdi, qcow2 etc).

Such template should have PVGrub set as a kernel by default, so the template will be able to use whatever kernel it want. Including non-Linux one: MirageOS, FreeBSD etc.

In R4.0, we will have tags for VMs, so such template should be tagged as imported and imported-from-VMNAME (where VMNAME is a name of VM which sent that image). Related to #1637
@marmarek marmarek added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. C: core P: major Priority: major. Between "default" and "critical" in severity. release notes This issue should be mentioned in the release notes. labels Jan 29, 2016
@marmarek marmarek added this to the Release 3.1 milestone Jan 29, 2016
andrewdavidwong added a commit that referenced this issue May 31, 2016
@andrewdavidwong
Track #1705
e43f93b
@jpouellet
Copy link
Contributor

jpouellet commented May 26, 2017
edited
Loading

Would this be resolved by QubesOS/qubes-doc@7ec63f5?

Also, XREF #2634 since I hadn't noticed this before.

jpouellet referenced this issue in QubesOS/qubes-doc May 26, 2017
@marmarek
mgmt1: add volume.Import method
7ec63f5 
This will allow importing full VM through the Admin API. Important for
"VM import" feature (QubesOS/qubes-issues#2634) and "paranoid backup
restore" (QubesOS/qubes-issues#2737).
@marmarek
Copy link
Member Author

Admin API covers all of this. It is already possible to install qubes-template-* rpm package from a VM (having appropriate Admin API access). Some nicer UI could be useful, but that's #2534

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
Release 4.0
Development

No branches or pull requests
3 participants
@marmarek @jpouellet @andrewdavidwong