Any chance for build instructions/tutorial on Qubes OS?

[najamelan]

Hi,

I recently started using qubes os. I'm new to container tech, qubes and xen, so it's all a bit daunting. I read the build instructions for fedora, but qubes installs a fedora on dom0 xen out of the box, which means thing would be a bit different to setup. Also qubes is a bit fragile when making random changes, and especially to dom0.

So I would really like to try running apps directly on xen, but am a bit scared about breaking my system. I wondered if anyone had already tried this directly on Qubes, and if it would be possible to make some tutorial?

Qubes OS installs to a usb drive easily, so it's not to complicated to give it a try.

For Qubes, security is an important point and so installing any software would preferably in a VM, rather than in dom0. Is that possible with rkt or would we have to install it in dom0?

Is this project still being actively developed?
How does it compare in your opinion to rumprun kernels?

I know it's a lot of questions. Thanks in advance for your time.

Naja Melan

[sstabellini]

Hello Naja, Sorry for the late reply, but I was still on vacation. Thank you for looking into stage1-xen! My answers are inline below. Cheers, Stefano

On Tue, 2 Jan 2018, Naja Melan wrote: Hi, I recently started using qubes os. I'm new to container tech, qubes and xen, so it's all a bit daunting. I read the build instructions for fedora, but qubes installs a fedora on dom0 xen out of the box, which means thing would be a bit different to setup. Also qubes is a bit fragile when making random changes, and especially to dom0. So I would really like to try running apps directly on xen, but am a bit scared about breaking my system. I wondered if anyone had already tried this directly on Qubes, and if it would be possible to make some tutorial?

Unfortunately, I can't say that I have.

Qubes OS installs to a usb drive easily, so it's not to complicated to give it a try. For Qubes, security is an important point and so installing any software would preferably in a VM, rather than in dom0. Is that possible with rkt or would we have to install it in dom0?

rkt would have to be in dom0. To be precise, stage1-xen needs to be in dom0 because it calls "xl" to start new VMs. Each container is started as a new VM for security and isolation. It is conceivable to run rkt and stage1-xen in a domU, but then stage1-xen, instead of calling "xl", would have to make RPC calls to some sort of toolstack daemon in dom0 to start new VMs. Assuming that Qubes exports such an RPC interface to start VMs.

Is this project still being actively developed?

Yes, this project is still being developed. I realize that there haven't been many updates here, but that's because the work is happening in other repositories at the moment. For example, the PVCalls frontend has just recently gone upstream in Linux, and that will be used to implemented --net=host.

How does it compare in your opinion to rumprun kernels?

stage1-xen is orthogonal to rumprun: rumprun is a great way to build or recompile an application with the smallest possible overhead. It leads to the best results in terms of performance and size, but it requires recompilation and often changes to the application code base. stage1-xen has a small overhead, but not as small as rumprun, however, it doesn't require the application to be changed or recompiled. It works with stock Docker containers.

I know it's a lot of questions. Thanks in advance for your time.

No problems, it's my pleasure!