Clarify meaning of "internal" VM and intended use cases

[CrsiX]

Qubes OS version

R4.0 (up to date)

Affected component(s) or functionality

Qubes Manager GUI: net VM setting when using a disposable net VM

Brief summary

Setting the net VM for sys-firewall is not possible via GUI, because in the drop down list in the Qubes Settings for sys-firewall, there's no entry sys-net-dvm (how I called it). Changing the setting via qvm-prefs works (networking is possible) and it also shows the correct value: qvm-prefs sys-firewall | grep netvm differs from the one seen in the qube's settings.

How Reproducible

Seems to be

To Reproduce

Steps to reproduce the behavior:

1. Follow the guide here to setup a disposable sys-net VM.
2. sys-firewall is not disposable (kept at default settings).
3. sys-net-dvm (how I called it) provides network of course.
4. Try to set (or only show) the net VM for sys-firewall via Qubes Settings GUI or in any other qube's settings.

Expected behavior

It shows the correct value (sys-net-dvm) for sys-firewall. For all other qubes, there's a setting sys-net-dvm.

Actual behavior

It shows sys-firewall as net VM for sys-firewall. No accurate dropdown option in any other qube, too.
As I mentioned, the net VM for sys-firewall is sys-net-dvm according to qvm-prefs sys-firewall | grep netvm.

Solutions you've tried

It's only a GUI problem I guess. Using the command line works as expected.

Relevant documentation you've consulted

https://www.qubes-os.org/doc/disposablevm-customization/

Related, non-duplicate issues

Didn't find any

[CrsiX]

Short update: In the overview of all qubes, the entry for sys-firewall in the NetVM column is correct:

[andrewdavidwong]

FWIW, I haven't experienced this problem, and I also use a static DiposableVM for sys-net.

[CrsiX]

Investigating it, maybe I find some relevant details for you? Because I've set it to be an internal VM:

$ qvm-features sys-net-dvm | grep internal
internal                   True

But setting it to False changes nothing.

Additionally, that qube is also not shown in the global settings dialog of the Qube Manager (e.g. as options for Default NetVM or ClockVM).

[SvenSemmler]

Please post the output of qvm-prefs sys-net-dvm klass

[CrsiX]

Strangely, the same applies to the global ClockVM setting:

$ qubes-prefs clockvm sys-net-dvm
$ qubes-prefs | grep clockvm
clockvm                   -  sys-net-dvm

But in the global settings dialog of Qube Manager, there's the entry of another of my work qubes which has nothing to do with networking on its own (it's alphabetically the first because it starts with 'd' I guess).

Here you go:

$ qvm-prefs sys-net-dvm klass
DispVM

[unman]

On Thu, May 13, 2021 at 08:49:24AM -0700, Crsi wrote: I've set it to be an internal VM: ``` $ qvm-features sys-net-dvm | grep internal internal True ``` But setting it to `False` changes nothing. Additionally, that qube is also not shown in the global settings dialog of the Qube Manager (e.g. as options for Default NetVM or ClockVM).

I have named disposable netVMs and they appear in all these places. They don't appear for you because you have set the internal flag. You need to *unset* the internal flag, not set it to False.

[CrsiX]

Indeed! This fixed the issue:

$ qvm-features sys-net-dvm internal ''

So, the 'boolean value' is whether some string is set there or not. Because qvm-features sys-net-dvm internal XYZ is also treated as internal=true with the described side effects.

The docs (man qvm-features) say for this option:

   internal
       Internal qubes (with this feature set to True) are not included in the menu.

       Default: not internal VM

As this was my initial intention why to use the switch, it may be good to point out that there are other side effects like this one, too?

[andrewdavidwong]

Indeed! This fixed the issue:

$ qvm-features sys-net-dvm internal ''

So, the 'boolean value' is whether some string is set there or not. Because qvm-features sys-net-dvm internal XYZ is also treated as internal=true with the described side effects.

The docs (man qvm-features) say for this option:

   internal
       Internal qubes (with this feature set to True) are not included in the menu.

       Default: not internal VM

As this was my initial intention why to use the switch, it may be good to point out that there are other side effects like this one, too?

This is one of those cases in which the devs had a specific use case in mind for "internal" VMs but failed to document their intentions and the specific use case. The documentation you read is misleading, because it makes it sound like not being included in the menu is all being "internal" amounts to, when that's probably just a side effect.

As far as I can tell, "internal" roughly means (to developers) something like "internal component of the system that we don't want users to mess with." But, of course, there is no way that you could have known that, because it is not indicated or even hinted anywhere, so you did exactly the opposite.

By default, I think only the mgmt VM is set to internal, and messing with that VM can be fatal to the functionality and security of Qubes OS. It is certainly not sufficient to call it "internal," make it slightly harder to find (but still not hard), and expect users to somehow intuit from this that they are doomed if they screw with it too much. Heck, I just realized that my mgmt VM is not set to internal, and I have no idea whether I'm screwed as a result.

[DemiMarie]

By default, I think only the mgmt VM is set to internal, and messing with that VM can be fatal to the functionality and security of Qubes OS. It is certainly not sufficient to call it "internal," make it slightly harder to find (but still not hard), and expect users to somehow intuit from this that they are doomed if they screw with it too much. Heck, I just realized that my mgmt VM is not set to internal, and I have no idea whether I'm screwed as a result.

You are only screwed if you have done anything in it that could compromise it (like web browsing).

[CrsiX]

This is one of those cases in which the devs had a specific use case in mind for "internal" VMs but failed to document their intentions and the specific use case. The documentation you read is misleading, because it makes it sound like not being included in the menu is all being "internal" amounts to, when that's probably just a side effect.

I see. I will set my AppVM (called sys-devices) which is the template for the disposable net VM & USB VM to be internal, but not the actual VMs itself. In case of problems, this could be changed later.

You are only screwed if you have done anything in it that could compromise it (like web browsing).

Actually, I expect to just don't touch it again, i.e. not using it for e.g. web browsing ;)

[marmarta]

By the way, the qvm-features manual does say:

.. warning::

   The features are normally managed by the extensions themselves and you should
   not change them directly. Strange things might happen otherwise.

So, you know ;) But I'll push in a sec a PR with a clearer description.

[qubesos-bot]

Automated announcement from builder-github

The component core-admin-client (including package python3-qubesadmin-4.1.14-1.fc32) has been pushed to the r4.1 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.1-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package core-admin-client has been pushed to the r4.1 stable repository for the CentOS centos-stream8 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-admin-client_4.1.18-1+deb10u1 has been pushed to the r4.1 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The component core-admin-client (including package python3-qubesadmin-4.1.18-1.fc32) has been pushed to the r4.1 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo dnf update

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The component core-admin-client (including package python3-qubesadmin-4.1.18-1.fc32) has been pushed to the r4.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update