Adapt disposable documentation up to 4.3 #1554
Conversation
ben-grande
force-pushed
the
preload-doc
branch
from
6251046 to
5f5d356
Compare
This comment was marked as outdated.
This comment was marked as outdated.
ben-grande
force-pushed
the
preload-doc
branch
6 times, most recently
from
fe3ee28 to
266da6a
Compare
|
Textual review can be done, I don't think I will change much more the text (I hope). The images will be updated. Read commit message for details about the changes. |
ben-grande
force-pushed
the
preload-doc
branch
5 times, most recently
from
870fd51 to
7ce5722
Compare
parulin
left a comment
parulin
left a comment
There was a problem hiding this comment.
First of all, great job! I only reviewed how-to-disposables.rst.
Additional comments that could be part of another PR (from someone else):
-
your definition of a disposable is better than the original and should be copy-pasted to the glossary
-
how-to-use-disposables is just the basics to learn what are disposables and how to use them
I think that there are still too many things on this page but it is way better!
-
the headings could be much deeper but it's a personal preference? Ie: "Open an application in a disposable", then "from GUIVM", "Via command-line from an app qube"
-
the "Screenshots" page still uses screenshots from the R4.0, as you said nobody deserves that.
| From inside an app qube, choosing the ``Open in disposable`` option on a file will launch a disposable for just that file. Changes made to a file opened in a disposable are passed back to the originating qube. This means that you can safely work with untrusted files without risk of compromising your other qubes. Disposables can be launched either directly from dom0’s app menu or terminal window, or from within app qubes. Disposables are generated with names like ``disp####``, where ``####`` is random number. | ||
| - View untrusted files without other trusted files on the same system; | ||
| - Visit untrusted websites in a web browser without previous authentication cookies present; | ||
| - Clean build systems without cache. |
There was a problem hiding this comment.
It might be very obscure for non-technical users, I suppose that it would be better to mention this in build-related docs?
There was a problem hiding this comment.
I wanted to technical users to see the value of disposables being pristine. I agree it is technical, but I don't think it will create an obstacle for the user to understand because the previous two items were very simple. I agree that you should continue pushing me to simplify things though, I will see it on a case by case basis.
There was a problem hiding this comment.
Could be mentioned like this?
- Clean build systems without cache. (for technical users)| - Visit untrusted websites in a web browser without previous authentication cookies present; | ||
| - Clean build systems without cache. | ||
|
|
||
| Disposables can be launched either directly from GUIVM's app menu or terminal window, or from within app qubes. Disposables are generated with names like :samp:`disp{1234}`, where :samp:`{1234}` is a random number. Below is an example of disposable workflow benefits: |
There was a problem hiding this comment.
Using "GUIVM" should be linked to a new glossary entry. Even if I understand why you want to use this term, I personally think it is too soon to use it.
There was a problem hiding this comment.
Qubes introduced GUI domains in 2020. I understand it has not taken off yet, it needs more testers and developers time to sharpen it.
I want users to think of dom0 as GUI domain, because it can run the app menu as well as qvm-features. When a GUI domain different than dom0 takes place, the transition will be simpler and the docs will still be up-to-date for users that don't have access to dom0 anymore because they are using the GUI domain.
| In Qubes 4.1, the entry in the Application menu is split into ‘Disposable’ and ‘Template (disp)’. The settings for the disposable can be changed under :menuselection:`Application Menu --> Template (disp) --> Template: Qubes Settings` | ||
| First, you need to :ref:`create an app qube <introduction/getting-started:adding removing and listing qubes`. We will assume that the qube was created with the name ``default-dvm``. | ||
|
|
||
| Next, go to :menuselection:`Application Menu --> TEMPLATES --> default-dvm --> Settings --> Advanced --> Disposable template` and enable it, at last, click on :guilabel:`OK` to accept the changes and close the window. |
There was a problem hiding this comment.
This is a wrong instruction: if the app qube is not a disposable template, it is not present in TEMPLATES but rather in APPS. And in this case, it could be better to use another name (to allow the user to test the instructions).
There was a problem hiding this comment.
Ok, user another name just for the creation. The rest still uses default-dvm as not every user will create a disposable template.
| - ``default-mgmt-dvm`` is a :term:`management qube`, used for :doc:`Salt </user/advanced-topics/salt>` and Debug Console. | ||
| - ``qubes-builder-dvm`` is a :doc:`Qubes Builder V2 Executor qube </developer/building/qubes-builder-v2>`, use | ||
|
|
||
| To configure, for example, the ``default-mgmt-dvm`` qube using the app menu, in :menuselection:`Application Menu --> TEMPLATES --> default-mgmt-dvm --> Settings --> Advanced --> Preload disposables`, choose a number such as ``2``. |
There was a problem hiding this comment.
default-mgmt-dvm being an internal qube, I can't see it in the app menu, but I might have changed that?
There was a problem hiding this comment.
No, I changed that in the menu code some months ago, I am not sure if it makes sense to have it in templates, but funny that I removed it and documented as if it should be there... For now, I will recommend another method.
|
|
||
| - Default editor, image viewer. In Debian derivatives, this can be done with the :program:`mimeopen` command. | ||
|
|
||
| 3. Shutdown the qube, either with QUI domain, :menuselection:`Application Menu --> TEMPLATES --> <DISPOSABLE_TEMPLATE> --> Shutdown`, :program:`qvm-shutdown` from the GUIVM terminal or with :program:`poweroff` from qube's terminal. |
There was a problem hiding this comment.
Same remark about "QUI domain".
| -------------------------------------- | ||
|
|
||
| In an app qube’s file manager, right click on the file you wish to open in a disposable, then choose “View in disposable” or “Edit in disposable”. Wait a few seconds and the default application for this file type should appear displaying the file content. This app is running in its own dedicated qube – a disposable created for the purpose of viewing or editing this very file. Once you close the viewing application the whole disposable will be destroyed. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. | ||
| In an app qube's file manager, right click on the file you wish to open in a disposable, then choose :guilabel:`View in disposable` or :guilabel:`Edit in disposable`. Wait a few seconds and the default application for this file type should appear displaying the file content. This app is running in its own dedicated qube, a disposable created for the purpose of viewing or editing this very file. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. |
There was a problem hiding this comment.
The two :guilabel roles are precisely ending with qube on the screenshot:
then choose :guilabel:`View in disposable qube` or :guilabel:`Edit in disposable qube`.
ben-grande
left a comment
ben-grande
left a comment
There was a problem hiding this comment.
First of all, great job! I only reviewed
how-to-disposables.rst.
Thanks for the review :)
Additional comments that could be part of another PR (from someone else):
I don't understand this.
* your definition of a disposable is better than the original and should be copy-pasted to the glossary
Done.
* > how-to-use-disposables is just the basics to learn what are disposables and how to use them I think that there are still too many things on this page but it is way better!
Moved some things to disposable customization page.
* the headings could be much deeper but it's a personal preference? Ie: "Open an application in a disposable", then "from GUIVM", "Via command-line from an app qube"
I think that that headers cannot be only from GUIVM, because when referencing it, there will be multiple ones, if I duplicate the headers, it will introduce a lot of clutter. I agree with your suggestion, but RST or Markdown header referencing does not consider nested headers very well, each header should be unique, else we need to reference it with numbers, #from GUIVM 1, #from GUIVM 2 (at least fro Markdown, I don't know how RST handles that, but if I change the sections order, the links with only numbers will be syntactically correct but point to the wrong sections.
A bit more of why I didn't use deeper levels, the simple usage of disposables from GUI domain is not the same as the usage from an app qube. From GUI domain, you'd launch applications, from app qube, you'd normally sanitize/view/edit a file. They don't fit in the same heading. Although opening applications can be done from the app qube, I moved it to the disposable customization page, because that is not the simplest thing to have on this page.
What remains is:
Open an application in a disposable (from GUI domain)
- GUI
- CLI
Open a file in a disposable (from app qube)
- GUI
- CLI
And I decided to not add deeper headers for GUI and CLI because it seems simpler as the CLI version is short.
* the "Screenshots" page still uses screenshots from the R4.0, as you said nobody deserves that.
Removed.
| -------------------------------------- | ||
|
|
||
| In an app qube’s file manager, right click on the file you wish to open in a disposable, then choose “View in disposable” or “Edit in disposable”. Wait a few seconds and the default application for this file type should appear displaying the file content. This app is running in its own dedicated qube – a disposable created for the purpose of viewing or editing this very file. Once you close the viewing application the whole disposable will be destroyed. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. | ||
| In an app qube's file manager, right click on the file you wish to open in a disposable, then choose :guilabel:`View in disposable` or :guilabel:`Edit in disposable`. Wait a few seconds and the default application for this file type should appear displaying the file content. This app is running in its own dedicated qube, a disposable created for the purpose of viewing or editing this very file. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. |
| - ``default-mgmt-dvm`` is a :term:`management qube`, used for :doc:`Salt </user/advanced-topics/salt>` and Debug Console. | ||
| - ``qubes-builder-dvm`` is a :doc:`Qubes Builder V2 Executor qube </developer/building/qubes-builder-v2>`, use | ||
|
|
||
| To configure, for example, the ``default-mgmt-dvm`` qube using the app menu, in :menuselection:`Application Menu --> TEMPLATES --> default-mgmt-dvm --> Settings --> Advanced --> Preload disposables`, choose a number such as ``2``. |
There was a problem hiding this comment.
No, I changed that in the menu code some months ago, I am not sure if it makes sense to have it in templates, but funny that I removed it and documented as if it should be there... For now, I will recommend another method.
| .. image:: /attachment/doc/r4.3-disp-preload-local.png | ||
| :alt: | ||
|
|
||
| This can also be changed from the command line with :program:`qvm-features` targeting ``default-mgmt-dvm``: |
| First, you need to create an app qube. You can run it normally, set up any necessary settings (like browser settings) you wish to be applied to every disposable qube ran from this template. Next, go to ‘Qube Settings’ of the app qube, set it as a *Disposable template* in the *Advanced* section and apply the change. | ||
|
|
||
| In Qubes 4.1, the entry in the Application menu is split into ‘Disposable’ and ‘Template (disp)’. The settings for the disposable can be changed under :menuselection:`Application Menu --> Template (disp) --> Template: Qubes Settings` | ||
| First, you need to :ref:`create an app qube <introduction/getting-started:adding removing and listing qubes`. We will assume that the qube was created with the name ``default-dvm``. |
| Named disposables are also built upon disposable templates, but they have a fixed name. The named disposable seems to behave like an ordinary app qube - every application you open will start in the same qube, and you need to manually shutdown the qube. But when you shutdown *any changes you made in the named disposable will be lost*. Except for this non-persistance, they feel like usual app qubes. | ||
| Named disposables are also built upon disposable templates, but they have a fixed name. The named disposable seems to behave like an ordinary app qube, the qube doesn't shutdown when you close the initial application, every application you open will start in the same qube, and you need to manually shutdown the qube. But when you shutdown *any changes you made in the named disposable will be lost*. | ||
|
|
||
| More information about disposable customization can be found in the :ref:`advanced section <user/advanced-topics/disposable-customization:creating a new disposable template>`. |
| Named disposables are also built upon disposable templates, but they have a fixed name. The named disposable seems to behave like an ordinary app qube - every application you open will start in the same qube, and you need to manually shutdown the qube. But when you shutdown *any changes you made in the named disposable will be lost*. Except for this non-persistance, they feel like usual app qubes. | ||
| Named disposables are also built upon disposable templates, but they have a fixed name. The named disposable seems to behave like an ordinary app qube, the qube doesn't shutdown when you close the initial application, every application you open will start in the same qube, and you need to manually shutdown the qube. But when you shutdown *any changes you made in the named disposable will be lost*. | ||
|
|
||
| More information about disposable customization can be found in the :ref:`advanced section <user/advanced-topics/disposable-customization:creating a new disposable template>`. |
There was a problem hiding this comment.
I found in the build now:
/home/docs/checkouts/readthedocs.org/user_builds/qubes-doc/checkouts/1554/user/how-to-guides/how-to-use-disposables.rst:40: WARNING: undefined label: 'create an app qube <introduction/getting-started:adding removing and listing qubes' [ref.ref]
Maybe warnins should be treated as errors with -W? Difficult to find this on line 418, there is no color difference, it is in the middle of various unrelated progress logs. This has to be changed on the readthedocs admin page? Maybe customizable?
| - Visit untrusted websites in a web browser without previous authentication cookies present; | ||
| - Clean build systems without cache. | ||
|
|
||
| Disposables can be launched either directly from GUIVM's app menu or terminal window, or from within app qubes. Disposables are generated with names like :samp:`disp{1234}`, where :samp:`{1234}` is a random number. Below is an example of disposable workflow benefits: |
There was a problem hiding this comment.
Qubes introduced GUI domains in 2020. I understand it has not taken off yet, it needs more testers and developers time to sharpen it.
I want users to think of dom0 as GUI domain, because it can run the app menu as well as qvm-features. When a GUI domain different than dom0 takes place, the transition will be simpler and the docs will still be up-to-date for users that don't have access to dom0 anymore because they are using the GUI domain.
| From inside an app qube, choosing the ``Open in disposable`` option on a file will launch a disposable for just that file. Changes made to a file opened in a disposable are passed back to the originating qube. This means that you can safely work with untrusted files without risk of compromising your other qubes. Disposables can be launched either directly from dom0’s app menu or terminal window, or from within app qubes. Disposables are generated with names like ``disp####``, where ``####`` is random number. | ||
| - View untrusted files without other trusted files on the same system; | ||
| - Visit untrusted websites in a web browser without previous authentication cookies present; | ||
| - Clean build systems without cache. |
There was a problem hiding this comment.
I wanted to technical users to see the value of disposables being pristine. I agree it is technical, but I don't think it will create an obstacle for the user to understand because the previous two items were very simple. I agree that you should continue pushing me to simplify things though, I will see it on a case by case basis.
ben-grande
force-pushed
the
preload-doc
branch
3 times, most recently
from
47f1125 to
b6a1fc7
Compare
|
I did my best to make the images resolution larger. I used Xfce because I want the all Qubes screenshots to have the same look and feel. I changed the dpi inside and outside the qube to a bigger number, I also changed the font dpi to be bigger. I had to make a lot of changes and still forgot some things, such as the window borders being so small on my high dpi. And... I just learned how to increase the border on Xfce... might retake some screenshots. |
|
Yeah, Xfce makes it hard to have everything configured in a single way. With i3, I have to set the DPI only with xresources and panel and window title borders update. With i3, i have to set:
But oh well, doing the screenshots. |
ben-grande
force-pushed
the
preload-doc
branch
from
b6a1fc7 to
79e0938
Compare
|
Ok, can read window titles and see qube names on the screenshots now. |
| - ``qubes-builder-dvm`` serves as a :doc:`Qubes Builder V2 Executor qube </developer/building/qubes-builder-v2>` | ||
|
|
||
| @anyvm @dispvm:<ONLINE_DISPOSABLE_TEMPLATE> allow | ||
| To configure, for example, the ``default-mgmt-dvm`` qube using the app menu, in :menuselection:`Application Menu --> Settings --> Qubes Tools --> Qube Manager --> View --> Show internal qubes --> default-mgmt-dvm --> Settings --> Advanced --> Preload disposables`, choose a number such as ``2``. At this point, you may deselect :guilabel:`Show internal qubes` to hide them again. |
There was a problem hiding this comment.
Given the very long menuselection role, I would split this, with a note:
To configure, for example, the ``default-mgmt-dvm``, open the qube's settings then go to :menuselection:`Advanced --> Preload disposables`, choose a number such as ``2``.
.. note:: ``default-mgmt-dvm`` is an *internal qube*, so in order to access its settings, you can use *Qube Manager*. If ``default-mgmt-dvm`` is not listed, make sure to select :menuselection:`&View --> Show internal qubes`. Once you have changed the settings, you may deselect it, to hide them again.I don't know how to markup internal qube because it should be a term in the glossary.
Also I don't think that this page should tell the user how to open Qube Manager but the docs aren't currently telling them how to do that...
There was a problem hiding this comment.
I will add internal to the glossary. The getting started page has a mention how to open the Qube Manager:
https://doc.qubes-os.org/en/latest/introduction/getting-started.html#qube-manager
Albeit without reST roles or a dedicated page for it. I don't think that I should reference how to open the Qube Manager in another page, there are cases where this should be done and I am not sure it is this one. I agree that some menuselection paths are very long though.
The introduction/getting-started.html#adding-removing-and-listing-qubes lists broken ways to delete a qube and the way to add a qube is has the old labels....
What I fear is this:
- User starts reading a how to, the section is incomplete, it has a link to another page that needs to be done first
- This other page will be loaded in the same tab if user doesn't click open in a new tab, might have links to another page or section of things that has to be done first
- When reaching this other section of the other page, the user is already lost, they have been redirected some times.
But I also don't like repetition. Ideally, reST would have an easy way to specify that certain links should open in an new tab/window, but I find the syntax of requiring html a dirty in a reST. file. Maybe it gives better Results, I will experiment with it.
There was a problem hiding this comment.
What I fear is this:
An example of creating named disposables:
:ref:`Create a new qube <introduction/....:create qube>` with the :guilabel:`Named disposable`The user clicks on the link and it opens on the same page or a new tab, follows the instruction there and then open the Create new qube window, what now? Will they create an app qube as that is the default and also because they didn't finish reading the whole sentence or don't remember anymore because opening a new page added a new context? I don't know.
Create a :guilabel:`Named disposable` in the :ref:`Create a new qube <introduction/....:create qube>` window.The user has a new context Named disposable button before they can even see it as the window is not opened yet, confusing. Will they remember the button after clicking on the link to create a new qube and getting a new context?
Since you already spent a lot of time on this, I didn't want to push you to make those additional changes yourself... I failed. About the headers, I'm personally okay with some repetition like:
But given the cleanup you made, it is not useful now. Talking about the sections, I feel like the "Security" section should not be part of the How-to but of the implementation page. About your screenshots, I already saw that you made some adjustments for readability and the new ones are even better but I'm skeptical about the maintenance burden to update those screenshots. So your efforts might be lost in newer releases. But given that we still use R4.0 screenshots, why not?! |
The build process still has various errors on other pages, that have to be fixed before making such a change. |
|
I forgot to mention that I haven't tested R4.3 yet but reading the docs makes me feel like it will be very easy to use! |
I'm here for this, to fix this outdated documentation. I will fix everything on these pages. I am trying to avoid fixing other related pages though, would be too much now.
I pondered on this multiple times. One of the questions that keeps popping up on the forum is about disposables and local forensics, so I did reference that from the user guide. Recently, the threads have switched to how to make them anti-forensic and fail because it is not supported by upstream. A reason to remove it is that it has a link to the disposable-customization page, which is for advanced users. But that is the last link of 3 on that page, the previous ones have to remain on As every customization documented is on the disposable customization page, I think it should be ok to remove the security section from that page, let's see what others think.
I took the screenshot by selection regions or windows to avoid capturing information that might change such as system tray, wallpaper etc. I think the screenshots will be up to date for some years to come still. Let's see. |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
|
|
||
| The system's default disposable template can be configured in |qubes-logo-icon|:menuselection:`Qubes App Menu (Q icon) --> Settings (icon) --> Qubes Tools --> Qubes Global Config --> General --> Default disposable template`, choose to your liking and click :guilabel:`Apply Changes and Close`. This can also be changed from the command line with with :program:`qubes-prefs`: |
There was a problem hiding this comment.
A screenshot here could be nice
| Change settings of the disposable template | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| It is possible to change the settings for each new disposable. This can be done by customizing the disposable template on which it is based: | ||
|
|
||
| 1. Start a terminal in the ``<DISPOSABLE_TEMPLATE>`` qube (or another disposable template) by running the following command in a dom0 terminal. (If you enable ``appmenus-dispvm`` feature (as explained at the top), applications menu for this VM (``<DISPOSABLE_TEMPLATE>``) will be “Disposable: ” (instead of “Domain: ”) and entries there will start new disposable based on that VM (``<DISPOSABLE_TEMPLATE>``). Not in that VM (``<DISPOSABLE_TEMPLATE>``) itself). | ||
| You might for example, want to disable all networking for the specific disposable template by default, which can be done by setting the net qube to ``none``. Then, whenever you start a new disposable, you can choose your desired net qube manually (by changing the newly-started disposables settings). |
There was a problem hiding this comment.
- This part is a bit unclear. Maybe start by telling the user that they can change the disposable settings just like any other app qube? Then tell them that they can change any settings of an unnamed disposable with the same method?
- The header is not exact
- The command-line alternative is missing
| 1. Start a terminal (or your chosen application) in the :samp:`{<DISPOSABLE_TEMPLATE>}` qube with |qubes-logo-icon|:menuselection:`Qubes App Menu (Q icon) --> TEMPLATES --> <DISPOSABLE_TEMPLATE> --> Run Terminal` or by running the following command in a :term:`GUI domain`: | ||
|
|
||
| 3. Shutdown the qube (either by ``poweroff`` from qube’s terminal, or ``qvm-shutdown`` from dom0 terminal). | ||
| .. code:: console | ||
| [user@dom0 ~] $ qvm-run --service -- <DISPOSABLE_TEMPLATE> qubes.StartApp+qubes-run-terminal | ||
| 2. Change the applications settings, as desired. Some examples of changes you may want to make include: | ||
|
|
||
| Using named disposables for service qubes | ||
| ----------------------------------------- | ||
| - Firefox's default startup settings and homepage. | ||
|
|
||
| - Default editor, image viewer. In Debian derivatives, this can be done with the :program:`mimeopen` command. | ||
|
|
||
| You can use a :term:`named disposable` for service qubes (such as those with the ``sys-*`` naming scheme) as long as they are stateless. For example, a ``sys-net`` using DHCP or ``sys-usb`` will work. In most cases ``sys-firewall`` will also work, even if you have configured app qube firewall rules. The only exception is if you require something like VM to VM communication and have manually edited ``iptables`` or other items directly inside the firewall app qube. | ||
| 3. Shutdown the qube, either with Qubes Domains widget, |qubes-logo-icon|:menuselection:`Qubes App Menu (Q icon) --> TEMPLATES --> <DISPOSABLE_TEMPLATE> --> Shutdown`, :program:`qvm-shutdown` from the :term:`GUI domain` terminal or with :program:`poweroff` from qube's terminal. |
There was a problem hiding this comment.
It is unclear to me. Maybe provide the generic method like:
1. Open the application
2. Change the applications settings, as desired.
3. Shutdown the qubeThen some examples and a detailed one with the terminal?
This page is for advanced users so opening an application and shutting down a qube should be a required knowledge. But in the same time, I don't think the docs explain how to do that.
There was a problem hiding this comment.
I think that the current text is fine. I think it already is a generic method with examples.
| This process must be repeated for every qube that references the :samp:`{<DISPOSABLE_TEMPLATE>}`. | ||
|
|
||
| Disposable template deletion |
There was a problem hiding this comment.
This should be the first header. The other ones are more particular.
There was a problem hiding this comment.
They are only necessary when deleting the disposable template. I changed the header. It is not so much of set or unset as it is about retiring.
| If the :samp:`{<DISPOSABLE_TEMPLATE>}` is referenced, unset the system's default disposable template: | ||
|
|
||
| .. code:: console | ||
| [user@dom0 ~]$ qvm-prefs <QUBE> | grep default_dispvm | ||
| default_dispvm - <DISPOSABLE_TEMPLATE> | ||
| [user@dom0 ~] $ qubes-prefs default_dispvm "" |
There was a problem hiding this comment.
You can just link to the "Set the system’s default disposable template" section instead.
| Now let's check the per qube ``default_dispvm`` property for any qube: | ||
|
|
||
| .. code:: console | ||
| [user@dom0 ~] $ qvm-prefs <QUBE> | grep default_dispvm | ||
| default_dispvm - <DISPOSABLE_TEMPLATE> |
There was a problem hiding this comment.
Is there a way to find out the problematic default_dispvm with checking each qube manually?
There was a problem hiding this comment.
Trying to remove the qube can show the dependencies. I kept the old method. Starting with deletion and see what it fails than repeat the process is also possible...
| .. |qubes-logo-icon| image:: /attachment/icons/128x128/apps/qubes-logo-icon.png | ||
| :height: 1em | ||
| :class: no-scaled-link | ||
| :alt: Qubes logo icon |
There was a problem hiding this comment.
If we want to generalize that icon, it could be better to use the rst_epilog in conf.py
ben-grande
force-pushed
the
preload-doc
branch
2 times, most recently
from
87f06ed to
7236491
Compare
ben-grande
left a comment
ben-grande
left a comment
There was a problem hiding this comment.
If I didn't reply to something, I forgot, browsing github conversions is kinda pain. Can ping me again.
| Change settings of the disposable template | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| It is possible to change the settings for each new disposable. This can be done by customizing the disposable template on which it is based: | ||
|
|
||
| 1. Start a terminal in the ``<DISPOSABLE_TEMPLATE>`` qube (or another disposable template) by running the following command in a dom0 terminal. (If you enable ``appmenus-dispvm`` feature (as explained at the top), applications menu for this VM (``<DISPOSABLE_TEMPLATE>``) will be “Disposable: ” (instead of “Domain: ”) and entries there will start new disposable based on that VM (``<DISPOSABLE_TEMPLATE>``). Not in that VM (``<DISPOSABLE_TEMPLATE>``) itself). | ||
| You might for example, want to disable all networking for the specific disposable template by default, which can be done by setting the net qube to ``none``. Then, whenever you start a new disposable, you can choose your desired net qube manually (by changing the newly-started disposables settings). |
| 1. Start a terminal (or your chosen application) in the :samp:`{<DISPOSABLE_TEMPLATE>}` qube with |qubes-logo-icon|:menuselection:`Qubes App Menu (Q icon) --> TEMPLATES --> <DISPOSABLE_TEMPLATE> --> Run Terminal` or by running the following command in a :term:`GUI domain`: | ||
|
|
||
| 3. Shutdown the qube (either by ``poweroff`` from qube’s terminal, or ``qvm-shutdown`` from dom0 terminal). | ||
| .. code:: console | ||
| [user@dom0 ~] $ qvm-run --service -- <DISPOSABLE_TEMPLATE> qubes.StartApp+qubes-run-terminal | ||
| 2. Change the applications settings, as desired. Some examples of changes you may want to make include: | ||
|
|
||
| Using named disposables for service qubes | ||
| ----------------------------------------- | ||
| - Firefox's default startup settings and homepage. | ||
|
|
||
| - Default editor, image viewer. In Debian derivatives, this can be done with the :program:`mimeopen` command. | ||
|
|
||
| You can use a :term:`named disposable` for service qubes (such as those with the ``sys-*`` naming scheme) as long as they are stateless. For example, a ``sys-net`` using DHCP or ``sys-usb`` will work. In most cases ``sys-firewall`` will also work, even if you have configured app qube firewall rules. The only exception is if you require something like VM to VM communication and have manually edited ``iptables`` or other items directly inside the firewall app qube. | ||
| 3. Shutdown the qube, either with Qubes Domains widget, |qubes-logo-icon|:menuselection:`Qubes App Menu (Q icon) --> TEMPLATES --> <DISPOSABLE_TEMPLATE> --> Shutdown`, :program:`qvm-shutdown` from the :term:`GUI domain` terminal or with :program:`poweroff` from qube's terminal. |
There was a problem hiding this comment.
I think that the current text is fine. I think it already is a generic method with examples.
|
|
||
| You can create as many disposable templates as you want. First, you need to :ref:`create an app qube <introduction/getting-started:adding, removing, and listing qubes>`. | ||
|
|
||
| Next, go to |qubes-logo-icon|:menuselection:`Qubes App Menu (Q icon) --> APPS --> <DISPOSABLE_TEMPLATE> --> Settings --> Advanced --> Disposable template` and enable it, at last, click on :guilabel:`OK` to accept the changes and close the window. To modify settings of the disposable template itself or how programs are run on it, use the :guilabel:`TEMPLATES` tab. |
There was a problem hiding this comment.
No. But at this point, the future disposable template is still in the APPS tab.
|
|
||
| You can use the :program:`qvm-service` command or the services GUI to cause an application in a qube to open files and URLs in a disposable. To do this, enable a service named :samp:`app-dispvm.{X}` in that qube, where :samp:`{X}` is the application ID. | ||
|
|
||
| For instance, to have Matrix Element desktop application open all attachments in a disposable, find its application name (normally in :file:`~/.local/share/applications` or :file:`/usr/share/applications`. In the current case, we identified the application name to be ``io.element.Element`` (in your case it may as well be ``im.riot.Riot``). Finally, enable the ``app-dispvm.io.element.Element`` service. |
There was a problem hiding this comment.
Changed to Thunderbird.
I think that using qvm-appmenus requires using the command-line, while finding the file can be done in the file manager.
| This process must be repeated for every qube that references the :samp:`{<DISPOSABLE_TEMPLATE>}`. | ||
|
|
||
| Disposable template deletion |
There was a problem hiding this comment.
They are only necessary when deleting the disposable template. I changed the header. It is not so much of set or unset as it is about retiring.
| If the :samp:`{<DISPOSABLE_TEMPLATE>}` is referenced, unset the system's default disposable template: | ||
|
|
||
| .. code:: console | ||
| [user@dom0 ~]$ qvm-prefs <QUBE> | grep default_dispvm | ||
| default_dispvm - <DISPOSABLE_TEMPLATE> | ||
| [user@dom0 ~] $ qubes-prefs default_dispvm "" |
| **Note:** You can use ``qvm-pci`` to :ref:`determine <user/how-to-guides/how-to-use-pci-devices:\`\`qvm-pci\`\` usage>` the ``<BDF>``. Also, you will often need to include the ``-o no-strict-reset=True`` :ref:`option <user/how-to-guides/how-to-use-pci-devices:no-strict-reset>` with USB controllers. | ||
| You can use a :term:`named disposable` for a :term:`service qube` (such as those with the ``sys-*`` naming scheme) as long as they are stateless. For example, a ``sys-net`` using DHCP or ``sys-usb`` will work. In most cases ``sys-firewall`` will also work, even if you have configured app qube firewall rules. The only exception is if you require something like qube to qube communication and have manually edited ``nftables`` or other items directly inside the firewall app qube. | ||
|
|
||
| Named disposable for service qubes without PCI devices |
There was a problem hiding this comment.
Yeah..., this is hard... appmenus-dispvm is not available via GUI, so not everything can be done via GUI. I will try.
ben-grande
force-pushed
the
preload-doc
branch
6 times, most recently
from
d20c31e to
7bedcf3
Compare
I don't like it too. Do you prefer another way to get a review? |
I don't know of a better way right now. New Github UI says that I need to go back to the old UI after 40 comments on a PR. I am reading my mail to find if you commented on something or not. |
ben-grande
force-pushed
the
preload-doc
branch
from
7bedcf3 to
46aba9e
Compare
ben-grande
force-pushed
the
preload-doc
branch
from
46aba9e to
7940cfd
Compare
rapenne-s
left a comment
rapenne-s
left a comment
There was a problem hiding this comment.
it's almost good to me to being merged, there are just a few things to check and fix and it's good to go. Thanks for your work @ben-grande , and thank you very much @parulin for your reviews, as always!
| 5. (in APPVM) APPVM boots normally, up to the point in ``/etc/init.d/qubes_core`` script when the presence of ``qubes_save_request`` key is tested. If it exists, then | ||
|
|
||
| 1. (in APPVM) if exists, prerun script is retrieved from the respective xenstore key and executed. This preloads filesystem cache with useful applications, so that they will start faster. | ||
| Preloaded disposables are started in the background and kept hidden from the user when not in use. They are interrupted (paused or suspended, as appropriate) and resumed (transparently) when a disposable qube is requested by the user. |
There was a problem hiding this comment.
I think this deserves an extra sentence that tells you need to start a disposable qube of the same kind of the one preloaded. If you have different disposable template, but only the default preloaded, the preload will not help.
There was a problem hiding this comment.
I can link to unnamed disposable glossary or this page that explains this in detail.
It is also explained on the second paragraph of the disposable behavior.
I don't think the developer documentation should explain again disposable's inheritance.
In the how-to-use-disposables, there are examples of using disposables out of a disposable template, I can in that same page link the preloaded disposable usage to the normal disposable usage. It is limited what I can say on how-to-use-disposables because I restricted mentioning that there can be multiple disposable templates and the examples always use default-dvm when possible.
The preloaded disposable section in how-to-use-disposables unfortunately has to mention system's default_disposable template and qube's default disposable template, which gives a hint that they can be different, and in that case, they have to be preloaded from individual disposable templates.
Only disposable-customization goes into detail about multiple disposable templates.
There was a problem hiding this comment.
I did mention briefly template inheritance on how-to-use-disposables inside the preloaded disposables section:
| 5. create the same xenstore keys as normally created when AppVM boots (e.g. ``qubes_ip``) | ||
|
|
||
| 6. create the ``qubes_restore_complete`` xenstore key. This allows the boot process in DisposableVM to continue. | ||
| At the end of preloading, the qube is paused if it has not been requested yet, but before pausing, on :py:meth:`domain-pre-paused <core-admin:qubes.vm.dispvm.DispVM.on_domain_pre_paused>`, it attempts to retrieve memory from the qube by setting it to use its preferred memory value, which in :doc:`qmemman parlance </developer/services/qmemman>`, is just enough to have the qube running. The memory must be managed before the qube is paused, cause once on the paused state, it is not possible to negotiate with the domain. |
There was a problem hiding this comment.
What is parlance in qmemman ?
There was a problem hiding this comment.
Used term to simplify, but to answer the question, domain-specific vocabulary.
user/reference/glossary.rst
Outdated
|
|
||
| - Currently, the only admin qube is :term:`dom0`. | ||
|
|
||
| .. glossary:: Primary |
There was a problem hiding this comment.
Why do we need a sub section named Primary here?
ben-grande
force-pushed
the
preload-doc
branch
4 times, most recently
from
d0f8789 to
270f514
Compare
|
@marmarek A review to disposable-implementation would be nice, especially the part about past implementations. |
ben-grande
force-pushed
the
preload-doc
branch
from
270f514 to
3417814
Compare
|
|
||
| From inside an app qube, choosing the ``Open in disposable`` option on a file will launch a disposable for just that file. Changes made to a file opened in a disposable are passed back to the originating qube. This means that you can safely work with untrusted files without risk of compromising your other qubes. Disposables can be launched either directly from dom0’s app menu or terminal window, or from within app qubes. Disposables are generated with names like ``disp####``, where ``####`` is random number. | ||
| - View untrusted files without other trusted files on the same system; | ||
| - Visit untrusted websites in a web browser without authentication cookies from from from from from from from from from previous session; |
There was a problem hiding this comment.
from from from from from from from from from
| A :term:`disposable template` is a qube which has the :py:class:`AppVM <core-admin:qubes.vm.appvm.AppVM>` class and the :py:attr:`template_for_dispvms <core-admin:qubes.vm.mix.dvmtemplate.DVMTemplateMixin.template_for_dispvms>` property enabled, being a :py:class:`DVMTemplateMixin <core-admin:qubes.vm.mix.dvmtemplate.DVMTemplateMixin>`. | ||
|
|
||
| DisposableVM is not started like other VMs, by executing equivalent of ``xl create`` - it would be too slow. Instead, DisposableVM are started by restore from a savefile. | ||
| A :term:`disposable` is a qube with the :py:class:`DispVM <core-admin:qubes.vm.dispvm.DispVM>` class and is based on a disposable template. Every disposable type has all of its volumes configured to disable :py:attr:`save_on_stop <core-admin:qubes.storage.Volume.save_on_stop>`, therefore no changes are saved on shutdown. Unnamed disposables enables the property :py:attr:`auto_cleanup <core-admin:qubes.vm.dispvm.DispVM.auto_cleanup>` by default, thus automatically removes the qube upon shutdown. |
There was a problem hiding this comment.
Define also named disposable here? Next paragraph say what they can be used for, but not what are they.
| Unnamed disposables have their names in the format :samp:`disp{1234}`, where :samp:`{1234}` is derived from the :py:attr:`dispid <core-admin:qubes.vm.dispvm.DispVM.dispid>` property, a random integer ranging from 0 to 9999 with a fail-safe mechanism to avoid reusing the same value in a short period. | ||
|
|
||
| 2. xenstore key ``/local/domain/appvm_domain_id/qubes_save_request`` is created | ||
| The system and every qube can have the :py:attr:`default_dispvm <core-admin:qubes.vm.dispvm.DispVM.default_dispvm>` property. If the qube property is set to the default value, it will use the system's property. This property can only have disposable template as value or an empty value. Qubes which have this property set are allowed to request the creation of a disposable from this property. An exception to the rule is the property of disposables, which always default to their disposables templates to avoid data leaks such as using unintended network paths. |
There was a problem hiding this comment.
Qubes which have this property set are allowed
This is not true. It's up to qrexec policy to control that. default_dispvm property allows using short @dispvm keyword, but even without default_dispvm a policy could allow for example a call to @dispvm:default-dvm.
There was a problem hiding this comment.
An exception to the rule
This feels like referencing the "are allowed to request" part, but in fact it references "will use the system's property". Move the sentence earlier?
There was a problem hiding this comment.
Clarified this part. Yes, was confusing.
| Disposable behavior | ||
| ------------------- | ||
|
|
||
| A :term:`disposable template` is a qube which has the :py:class:`AppVM <core-admin:qubes.vm.appvm.AppVM>` class and the :py:attr:`template_for_dispvms <core-admin:qubes.vm.mix.dvmtemplate.DVMTemplateMixin.template_for_dispvms>` property enabled, being a :py:class:`DVMTemplateMixin <core-admin:qubes.vm.mix.dvmtemplate.DVMTemplateMixin>`. |
There was a problem hiding this comment.
The AppVM class is not really true. Standalone can also be a disposable template. Maybe keep just the template_for_dispvms part?
There was a problem hiding this comment.
Removed the appvm part.
| The system and every qube can have the :py:attr:`default_dispvm <core-admin:qubes.vm.dispvm.DispVM.default_dispvm>` property. If the qube property is set to the default value, it will use the system's property. This property can only have disposable template as value or an empty value. Qubes which have this property set are allowed to request the creation of a disposable from this property. An exception to the rule is the property of disposables, which always default to their disposables templates to avoid data leaks such as using unintended network paths. | ||
|
|
||
| 3. if prerun script was specified, copy it to ``qubes_save_script`` xenstore key | ||
| There are some Qrexec services that which allows execution to disposables created from the :py:attr:`default_dispvm <core-admin:qubes.vm.dispvm.DispVM.default_dispvm>` property when the destination qube of the Qrexec field uses the :doc:`@dispvm <core-qrexec:qrexec-policy>` tag, most commonly used to open files and URLs, (:file:`qubes.OpenInVM` and :file:`qubes.OpenURL`, respectively). |
| 5. (in APPVM) APPVM boots normally, up to the point in ``/etc/init.d/qubes_core`` script when the presence of ``qubes_save_request`` key is tested. If it exists, then | ||
|
|
||
| 1. (in APPVM) if exists, prerun script is retrieved from the respective xenstore key and executed. This preloads filesystem cache with useful applications, so that they will start faster. | ||
| Preloaded disposables are :term:`internal <internal qube>` :term:`unnamed disposables <unnamed disposable>` started in the background and kept hidden from the user when not in use. They are interrupted (paused or suspended, as appropriate) and resumed (transparently) when a disposable qube is requested by the user. |
There was a problem hiding this comment.
And similar to an earlier remark - first say why (started in the background, prepared to be ready when user request it), and then how (internal, paused/suspended etc).
| - Setting or deleting the ``preload-dispvm-max`` feature will refill or remove; | ||
| - (Re)starting :file:`qubes-preload-dispvm.service` will refresh; | ||
| - Using a preloaded disposable will refill; | ||
| - Requesting a disposable will refill; | ||
| - Updating the volumes of a template or disposable template will refresh; | ||
| - Changing system's :py:attr:`default_dispvm <core-admin:qubes.vm.dispvm.DispVM.default_dispvm>` while system's feature is set to a different value than the disposable template setting will refill or remove; |
There was a problem hiding this comment.
Define "refill" and "refresh" actions before.
| - Changing system's :py:attr:`default_dispvm <core-admin:qubes.vm.dispvm.DispVM.default_dispvm>` while system's feature is set to a different value than the disposable template setting will refill or remove; | ||
|
|
||
| 2. restore the COW files from the ``saved_cows.tar`` | ||
| The service :file:`qubes-preload-dispvm.service` is used instead of :py:meth:`domain-load <core-admin:qubes.vm.mix.dvmtemplate.DVMTemplateMixin.on_domain_loaded>` of the disposable template because it relies on systemd to: |
There was a problem hiding this comment.
Context for this sentence? Used for what? Generally this "worry-free life-cycle" section looks like a collection of various information - maybe add some subsections like "When preloading happen", "Common failures" etc?
There was a problem hiding this comment.
I did do a lot of reorganization and heading for this section, should be good now.
Context for this sentence? Used for what? G
Bootstraping after boot.
| The preload creation can also fail for different reasons: | ||
|
|
||
| - Qubesd was interrupted mid preload creation, on the next service restart, :py:meth:`domain-load <core-admin:qubes.vm.mix.dvmtemplate.DVMTemplateMixin.on_domain_loaded>` of the disposable template will refresh the incomplete disposables; | ||
| - Service to check if the system is fully operation has failed; and | ||
| - There is not enough memory to preload at the moment. |
There was a problem hiding this comment.
This part looks out of order - before you talk when preloading happens, after you talk about the same, but here you have some common failure modes.
There was a problem hiding this comment.
I did do a lot of reorganization and heading for this section, should be good now.
| 5. create the same xenstore keys as normally created when AppVM boots (e.g. ``qubes_ip``) | ||
|
|
||
| 6. create the ``qubes_restore_complete`` xenstore key. This allows the boot process in DisposableVM to continue. | ||
| At the end of preloading, the qube is paused if it has not been requested yet, but before pausing, on :py:meth:`domain-pre-paused <core-admin:qubes.vm.dispvm.DispVM.on_domain_pre_paused>`, it attempts to retrieve memory from the qube by setting it to use its preferred memory value, which in :doc:`qmemman terms </developer/services/qmemman>`, is just enough to have the qube running. The memory must be managed before the qube is paused, cause once on the paused state, it is not possible to negotiate with the domain. |
There was a problem hiding this comment.
Please split this into more sentences.
There was a problem hiding this comment.
Reorganized this paragraph, less words, seems more clear and has more sentences.
| 5. create the same xenstore keys as normally created when AppVM boots (e.g. ``qubes_ip``) | ||
|
|
||
| 6. create the ``qubes_restore_complete`` xenstore key. This allows the boot process in DisposableVM to continue. | ||
| At the end of preloading, the qube is paused if it has not been requested yet, but before pausing, on :py:meth:`domain-pre-paused <core-admin:qubes.vm.dispvm.DispVM.on_domain_pre_paused>`, it attempts to retrieve memory from the qube by setting it to use its preferred memory value, which in :doc:`qmemman terms </developer/services/qmemman>`, is just enough to have the qube running. The memory must be managed before the qube is paused, cause once on the paused state, it is not possible to negotiate with the domain. |
There was a problem hiding this comment.
And again - first why, then how.
| 6. create the ``qubes_restore_complete`` xenstore key. This allows the boot process in DisposableVM to continue. | ||
| At the end of preloading, the qube is paused if it has not been requested yet, but before pausing, on :py:meth:`domain-pre-paused <core-admin:qubes.vm.dispvm.DispVM.on_domain_pre_paused>`, it attempts to retrieve memory from the qube by setting it to use its preferred memory value, which in :doc:`qmemman terms </developer/services/qmemman>`, is just enough to have the qube running. The memory must be managed before the qube is paused, cause once on the paused state, it is not possible to negotiate with the domain. | ||
|
|
||
| This process can take a bit of time because it depends on how fast the qube can free up memory. There is a timeout and a threshold in transfer speed. When any of these exit conditions are met, the memory management seizes and the preloaded disposable is paused. Although this process takes some time, we do not worry much about it because it economizes memory on the long run, the biggest problems is that qmemman is synchronous, so only one request can be made at a time, anything that takes too much time on qmemman could prevent ballooning/balancing of other qubes on the system. |
There was a problem hiding this comment.
Add references to specific values (link where to find it)?
There was a problem hiding this comment.
Did that. Qmemman page is outdated and qmemman is not linked in qubes.doc so it doesn't appear on dev.qubes-os.org, and even then, there is no docstring for the modules. Did what I could with this in mind.
| But this comes at a cost: | ||
|
|
||
| DisposableVM savefile contains references to template rootfs and to COW files. The COW files are restored before each DisposableVM start, so they cannot change. On the other hand, if templateVM is started, the template rootfs will change, and it may not be coherent with the COW files. | ||
| - On early GUI connection, if done before the domain is paused: |
There was a problem hiding this comment.
It's not clear the GUI is not connected before pausing. Maybe add a sentence about it, possibly linking to relevant issue if any?
There was a problem hiding this comment.
Added a sentence and linked to the issue that lead from early GUI to late GUI.
|
|
||
| As preloaded disposables are started before being used, methods to prevent accidental tampering have been put in place as well as guarantees to prevent reuse: | ||
|
|
||
| - The qube has the ``internal`` feature enabled, Qubes GUI applications were patched to hide :term:`internal qubes<internal qube>`, handling events for ``domain-feature-((pre-)?set|delete):internal``; |
There was a problem hiding this comment.
handling events for
domain-feature-((pre-)?set|delete):internal;
Some connection is missing, "by handling" maybe?
ben-grande
force-pushed
the
preload-doc
branch
from
3417814 to
0990cfe
Compare
- Cleared misunderstandings of disposable templates, this word was
sometimes used interchangeably with disposables;
- Deduplicate content as much as possible;
- Reference other pages or previous sections;
- Assume the user has read the previous sections up until the
current section they are reading;
- All this deduplication enables easier reading, less clutter, but
each section doesn't stand by itself, each page does. Some things
were reinforced on multiple sections, but limited to when
extremely necessary to learn by reinforcement;
- Structure the files to their distinct use cases:
- how-to-use-disposables is just the basics to learn what are
disposables and how to use them, using GUI and CLI alternatives;
- disposable-customization has everything advanced related to
disposables, such as advanced usage, creation of disposables
templates, their customization;
- disposable-implementation assumes the user understand the previous
pages and contains a more technical description of disposables and
preloaded disposables as well as their implementation;
- Prepared usage for a GUIVM setup, avoiding mentions to dom0;
- Usage modes has been organized in GUI first and CLI second, grouped by
origin such as GUIVM and app qube;
- Usage page restricts itself to "default-dvm", it's name is not
variable like the Whonix disposable template variant and it is the
most used disposable template, thus we avoid variables replacement
that the user should think of the value to a definitive value to use
when learning. Customization page could not benefit much from this
though, as it is intended to create alternative disposable templates;
- Usage page links to Tails documentation of why using it on a VM is not
amensiac, so it can be referenced for users that ask to have Tails in
a VM for anti-forensics purposes;
- Updated the images to R4.3, nobody deserves to see the Qubes version
of the Xfce application menu anymore when the new app menu rocks. The
images also had to be updated because it was fullscreen screenshot
on a large resolution, making it very difficult to read unless
opening the image in a new tab and zooming in;
- Implementation page shows preloaded disposables alternatives that were
once used or considered as a comparative for future studies, to answer
why a different option is not being used and what requirements a
replacement must meet;
- Content from previous releases have been deleted;
- Updates to Qrexec policy v4;
- Use rST roles;
- Change non-ASCII quotes and em-dashes to ASCII;
- Standardized text writing style, many people have contributed to these
pages over the years, there is a lot of different writings styles
which make the text difficult to map. I rewrote a lot of the
paragraphs to my liking and understanding of the different stages that
a user may go through when using disposables, and even on paragraphs
that I didn't completely write, it was modified to follow the same
standard with the rest of the pages. The usage must be very simple
with just the basics, we don't want to scare the user's off of using
disposables, we want to convince them. The customization is a bit more
advanced, it assumes a lot more knowledge from the user to make
decisions by themselves such as customizing applications and qube
settings, which can affect system security. The implementation details
do not require reading the code, it just exist to explain what is
being used and why it was chosen.
Fixes: QubesOS/qubes-issues#10282
For: QubesOS/qubes-issues#1512
ben-grande
force-pushed
the
preload-doc
branch
from
0990cfe to
80c9eda
Compare
4 participants
Fixes: QubesOS/qubes-issues#10282
For: QubesOS/qubes-issues#1512