README.md 2.45 KB
Newer Older
o's avatar
o committed
1
2
3
# Starting an ibox as qubes AppVM

## Setting up the template
o's avatar
initial  
o committed
4
5
6
7

The main idea is to have:

1. An `ibox` template VM mirroring more or less a VM created by our [kickstart file](https://code.immerda.ch/immerda/ibox/stemcell/-/blob/master/http/centos8.ks).
o's avatar
o committed
8
1. An `ibox-instance` AppVM.
o's avatar
initial  
o committed
9

o's avatar
o committed
10
11
First start by checking out this repository in your development VM. We'll assume
it to be called `devqube`:
o's avatar
initial  
o committed
12
13
14
15
16
17
18
19
20

```
git clone git@code-ssh.immerda.ch:immerda/ibox/qubes.git ibox-qubes
```

To create both VMs and install centos-8, there is a [setup/dom0.sh](setup/dom0.sh) script.
You can run it in dom0 with:

```
o's avatar
o committed
21
qvm-run -p devqube "cat /home/user/Documents/ibox-qubes/setup/dom0.sh" > setup-ibox.sh
o's avatar
initial  
o committed
22
23
24
sh setup-ibox.sh
```

o's avatar
o committed
25
26
27
Troubleshoot: If updating centos-8-minimal fails you might have a broken template. Removing and re-installing the `qubes-template-centos-8-minimal` might help.

Now all the vms are created and we can start setting up the `ibox-template` template. Start
o's avatar
o committed
28
the VM and execute `setup/ibox-template.sh` in it, as root. It installs all
o's avatar
initial  
o committed
29
30
required packages and repositories.

o's avatar
o committed
31
Stop the `ibox-template` VM again.
o's avatar
initial  
o committed
32

o's avatar
o committed
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
Finally, you need to allow your devqube to issue commands to ibox.
To that end add the following line to `/etc/qubes-rpc/policy/qubes.VMShell`:

```
devqube ibox-instance allow
```

## Initialize ibox instance

To create an ibox as an appVM do:
```
qvm-create --label gray --template ibox-template ibox-instance
```
or to create a standalone do:
```
qvm-clone --label gray ibox-template ibox-instance
```

To initialize an `ibox-instance` do the following:

```
cat init.sh | qvm-run-vm ibox-instance "cat - > init.sh && sh init.sh"
dns=`resolvectl dns | grep Global | cut -d' ' -f2`
echo "resolvconf::nameservers: ['$dns']" | qvm-run-vm ibox-instance "cat - >> ibox/hieradata/vagrant.yaml"
```

You only need to do this once. All data ends up in rw volumes.

Finally on `ibox-instance`

```
sudo -i /home/user/ibox/bin/local_apply.sh
```

## Sync back changes

To sync back your changes from the ibox to your local copy of the boilerplate repo use:

```
./sync.sh ibox-instance /path/to/boilerplate-repo
```

## Secondary disk

Some modules need a secondary data disk. On your development qube create a block device and attach it:

```
# on devqube
truncate -s 1024m data.img
sudo losetup /dev/loop0 data.img
# on dom0
qvm-attach ibox-instance devqube:loop0
```
o's avatar
initial  
o committed
86

o's avatar
o committed
87
Modules might create huge volumes. Either use a huge disk, or reduce their size. E.g.:
o's avatar
initial  
o committed
88
```
o's avatar
o committed
89
ib_disks::datavgs::www::size_data: '500mb'
o's avatar
initial  
o committed
90
```