Qubes VM network overview #6269
Comments
3hhh
added
P: default
|
I myself have wanted such an overview on more than one occasion. An interactive one (which allowed editing) would be even better. |
|
We used to have a very basic version this in the Qube Manager, but it lacked many of the features you want. I just tried looking for it, but it seems to have somehow disappeared. @marmarta, any idea what happened to it? |
|
Duplicate of #2575 |
|
This appears to be a duplicate of an existing issue. If so, please comment on the appropriate existing issue instead. If you believe this is not really a duplicate, please leave a comment briefly explaining why. We'll be happy to take another look and, if appropriate, reopen this issue. Thank you. |
|
On Thu, Dec 10, 2020 at 07:03:13PM -0800, Andrew David Wong wrote:
We used to have a very basic version this in the Qube Manager, but it lacked many of the features you want. I just tried looking for it, but it seems to have somehow disappeared. @marmarta, any idea what happened to it?
It disappeared when Qube manager went, and didn't re-emerge when QM was
restored.
We had a prototype of exactly this interactive network map at the time,
but work stopped when QM was dropped. I'll see if it's worth
resuscitating and I can release it.
|
|
Another thought: Maybe a simple script to generate a mermaid js flow chart according to the Qubes OS network topology and view that in some VM would do. mermaid is even supported natively on gitlab; unfortunately not on github though. |
Just pushed that idea to https://github.com/3hhh/qvm-ls-mermaid |
|
On Tue, Dec 29, 2020 at 05:02:31AM -0800, 3hhh wrote:
> Maybe a simple script to generate a [mermaid js](https://mermaid-js.github.io/) flow chart according to the Qubes OS network topology and view that in some VM would do.
Just pushed that idea to https://github.com/3hhh/qvm-ls-mermaid
here's a screenshot of a poc using networkx, running in a management
qube.
|
I'm intrigued, but unfortunately github removes attachments. Long term I'd be interested to also add notes to individual VMs and save it in my personal repo in a text-based format. Doing the same network graph overview for template relationships should also be fairly trivial. |
|
Question for @3hhh: Where is the value to you as a user, in sharing a diagram of your setup with others? Assuming you have documented your own setup: how often do you reference it, what are your needs or motivations when referencing it? TL;DR, I do have it in my pipeline to work on a complete GUI redesign of Qubes Manager, sometime in 2021. I'm not a developer, but a designer, so iterating quickly on ideas in visual sketches w/o committing things to code, is how I'll be approaching this work—and I find your ideas intriguing. They seem best suited to inform either how a Qubes Manager GUI is presented to users as a window view option, or as an exportable diagram w/ notations (or both). Also, yep, noted this issue is Closed; and I commented on the duplicate issue to get the broader ask/need on my radar. |
|
On Tue, Dec 29, 2020 at 10:50:53AM -0800, 3hhh wrote:
> here's a screenshot of a poc using networkx, running in a management qube.
I'm intrigued, but unfortunately github removes attachments.
Long term I'd be interested to also add notes to individual VMs and save it in my personal repo in a text-based format. Doing the same network graph overview for template relationships should also be fairly trivial.
Oh.
I'll post to the user list then.
|
Hmmm by now I realized that there are two different ideas to present VM relations now:
With 2 being a subset of 1 as networking isn't the only sharing methodology. There's also copy-pasting, qvm-copy, ... (whatever the Qubes OS RPC policy allows) For 1 one might have to visualize the Qubes OS policy including the network topology, for 2 it's the network topology only which this was originally about. 1 is what I personally use my diagram for though. So I fear I originally mixed it up. 1 is interesting for personal review (is it still sane?). Otherwise I might have lost overview of my ~60+ VM setup. I tend to use it whenever I consider adding a new feature from an architecture point-of-view (what was the intent of having that VM and what kind of interactions does it need with other VMs?). 2 is useful for the Qubes OS doc and posting about network-related "how do I set this up from a network point of view?" Admittedly the list of possible diagrams for 2 is relatively short as most will have something like Anyway 1 & 2 can be useful to propagate the Qubes OS ideas as images in presentations, forums, social media, ... In total it would be nice to "visualize security" in the form of all allowed VM interactions (aka 1). |
|
P.S.: One could even use such an overview like 1 interactively to manage all Qubes (e.g. right click on a node to change settings, move a link to change the network manager and maybe RPC settings etc.). I only worry that it might be a bit too radical of a change; so better introduce it as an alternative view or so first... |
|
I randomly noticed that @marmarek created qrexec-policy-graph in 2017 or so (thanks!), which essentially does the RPC job except for the visualization, but is little known. It should be fairly easy to add it to qvm-ls-mermaid. Related: #4721 |
|
On Mon, Jan 04, 2021 at 07:55:15AM -0800, 3hhh wrote:
I randomly noticed that @marmarek created [qrexec-policy-graph](https://github.com/QubesOS/qubes-core-qrexec/blob/master/qrexec/tools/qrexec_policy_graph.py) in 2017 or so (thanks!), which essentially does the RPC job except for the visualization, but is little known.
Ah, yes. The output is in `dot` format, you can use `dot` command to
convert it into a favorite graphical format. Warning, it will be quite
big for the full system graph.
|
It produced a 40k+ edges graph ony my system, but I managed to reduce them to 10 edges, i.e. essentially the originating policy. The combined network & RPC policy graph for my entire Qubes OS system with 60+ VMs can therefore be easily viewed on my monitor! There's a sample screenshow of network-related VMs here. @unman : In total I think that your |
|
On Fri, Jan 08, 2021 at 10:36:32AM -0800, 3hhh wrote:
> Warning, it will be quite big for the full system graph.
It produced a 40k+ edges graph ony my system, but I managed to reduce them to 10 edges, i.e. essentially the originating policy.
The combined network & RPC policy graph for my entire Qubes OS system with 60+ VMs can therefore be easily viewed on my monitor!
There's a sample screenshow of network-related VMs [here](https://raw.githubusercontent.com/3hhh/qvm-ls-mermaid/master/examples/1.png).
@unman :
The pruning script can be found [here](https://github.com/3hhh/qvm-ls-mermaid/blob/master/prune-policy-graph) in case you also want to add the RPC nodes. It is standalone and also works in VMs.
In total I think that your `networkx` approach should prove more fruitful in the long run (more import/export formats, easy graph modifications, better interaction etc.), but my stuff is probably more feature-complete mid term.
I think our intentions are somewhat different, so "feature-complete"
will differ.
|
The problem you're addressing (if any)
It would be nice to be able to obtain a graphical overview of my Qubes OS machine.
Describe the solution you'd like
Some sort of interactive GUI providing the following features:
A -- B)Where is the value to a user, and who might that user be?
Describe alternatives you've considered
I currently do it myself with inkscape.
Additional context
Actually something like the pictures of Joanna's post, just automatically generated from an existing Qubes OS instance.
Relevant documentation you've consulted
.
Related, non-duplicate issues
None?
The text was updated successfully, but these errors were encountered: