Creating Qubes and Throwing them Away!

One of my favorite things about Qubes-OS, is that I can test administrator changes to a Qube and if it fails or I mess it up, I can throw it all away and start over again fairly painlessly. I have made Qubes to test Perl environments, Python environments, linuxbrew, Go, Rust, etc. Today’s adventure was with “eCryptfs”. I have two old Linux boxes, that have been with me forever and I have really been worried about the data stored in them. I try to keep them up to date, but they do have old debris scattered in /bin, /usr/bin, etc. I should rebuild them from scratch on new hardware, and that’s my intention, but this is going to take a good solid weekend of my time. For now, I just want to sort of protect the home directories with eCryptfs. I also don’t want to mess up what I have.

So on my Qubes machine, I cloned the debian-9 template to debian-9-ecryptfs. In a dom0 terminal:

$ cvm-clone debian-9 debian-9-ecryptfs

I want a new template, since I will add the eCryptfs packages and I don’t want to pollute the stock debian-9 template.

Then I start a new terminal in the debian-9-ecryptfs template and apt-get “eCryptfs” based on a couple tutorials I have been reading. These tutorials are:

https://www.howtoforge.com/tutorial/how-to-encrypt-directories-with-ecryptfs-on-ubuntu-16-04/

https://wiki.debian.org/TransparentEncryptionForHomeFolder

http://tombuntu.com/index.php/2008/08/07/create-an-encrypted-private-directory-with-ecryptfs/

To install eCryptfs in the template:

# apt-get install ecryptfs-utils

Now I shutdown the template and create a new Qube based on the new template using the Qube Manager GUI. I let it default to my-new-qube.

Then I start “my-new-qube” and start playing with the tutorials, creating multiple different encrypted directories, mounting and un-mounting them until I think I have decent practice. Then I throw away “my-new-qube”.

To me, this is perfect, I can learn about eCryptfs without risking my old Debian machine or my Qubes-OS machine.

 

Qubes-OS 4, Creating usable minimal templates

My preferred Linux is currently Qubes-OS. One thing I do like is the minimal templates. You can create templates with just what you need in them and then create a Qube from them that doesn’t have a lot of extra pieces that you do not need. However creating a usable template from the released templates takes extra steps, that I kind of fumble around doing, so I will layout my process here.

• There is no way to clone or duplicate a template VM from the Qubes Manager, you have to do it from the dom0 command line. Note you do not need sudo:

[user@dom0 ~]$ qvm-clone fedora-27-minimal fedora-27-firefox

• First, the minimal template does not contain the Qubes password-less sudo and the policy kit. You need to start a shell for the template as root. Again, there is no GUI way to do this, you need to do this from a dom0 command line:

[user@dom0 ~]$ qvm-run -u root fedora-27-firefox xterm

• Now I can follow the recommendations from https://www.qubes-os.org/doc/templates/fedora-minimal/. In the fedora-27-firefox terminal we started from the command line:

bash-4.4# dnf install qubes-core-agent-passwordless-root polkit

• I check to make sure that the generalized qubes-core-agent is installed

bash-4.4# dnf install qubes-core-agent

• I install some of my preferred packages

bash-4.4# dnf install gnome-keyring less pciutils psmisc
bash-4.4# dnf install pulseaudio-qubes
bash-4.4# dnf install qubes-core-agent-networking

• Now I install the packages that I made the new template for

bash-4.4# dnf install firefox

 

 

Plug for SportsTalkDM.com

This is a shameless plug for my cousin’s boy Daniel.

Daniel has been quoting sports scores to me since he was 6 or 7 years old. I think he got his iPod when he was about 8 and he would sit in his room with his little miniature NFL helmets in front of him and make videos of himself commenting on upcoming football matches. A few weeks back, the now 14 year old Daniel asked me, what I would use to make a website.  Since then he has created a website, SportsTalkDM.com, Sports Talk with Daniel, and a Patreon page, Patreon.com/sportstalkdm and posted a bunch of content. I think his NFL article is pretty good for a 14 year old. Like most first time web authors, he is watching for every page view. I haven’t helped him to this point, but I probably will this weekend, since adding the Javascript for Google AdSense has got him stumped. I would appreciate if anyone could click on his page. He doesn’t have feedback or anyway to comment on his main site, but you can comment and like on his Patreon page. I think this is pretty good and I want to try to encourage him.

 

macOS High Sierra

For those upgrading to macOS High Sierra. On my Late 2012 Mac mini, the first attempt failed with it getting all the way through and then getting a kernel panic after trying to log in to High Sierra. After failed attempts at debugging it, I restored from Time Machine to start the process again, this time without File Vault. This succeeded and my guess on this is that FileVault was problematic. I have one more Mac computer to do, and I will decrypt FileVault before the upgrade. The macOS High Sierra upgrade is very time consuming, I am about two days into the upgrade and the FileVault re-encryption is still estimating another day. I have only tested the main applications I use on a day to day basis and things are working except for Google Drive/Backup, but I can remove it, re-install it and re-sync again. The upgrade did not offer me AFPS and I wanted to wait on that a bit. I am always nervous about new file systems and Apple has already had some security fixes for AFPS.

 

Installing Apple Packages Remotely

I have a Mac that I maintain remotely and I have been using the command line software update to install the standard Mac updates.

# softwareupdate –list

# softwareupdate –install –all

I didn’t know I could do the same thing for packages until this morning when the 10.7.4 update broke one of my macs in a weird way. I could do many things as long I didn’t touch the menu bar or some dialog boxes. If I did, the program seemed to hang in using the shader compiler to send stuff to the ATI chip.

I downloaded the 10.7.4 Combo Update from Apple, but I could not launch the Installer.

This article gave me the info I needed. 

http://hints.macworld.com/article.php?story=20030614230204397

I found out I can run package updates from the command line.

sudo installer -pkg MacOSXUpdCombo10.7.4.pkg

 

Getting a List of Installed Packages in Debian

Note to self:

To save:
$ dpkg –get-selections > installedPackagesDate.txt

To recover:
# dpkg –set-selections < installedPackagesDate.txt && apt-get dselect-upgrade

 

Know Your Mac

Here’s a list of known process names for Mac applications, that I think is formatted in a helpful way:

http://triviaware.com/macprocess/all

 

StreamFREE.TV

A site that ranks some of the Roku channels and channels that are not in the Channel Store:

http://streamfree.tv/

Between the Roku, iTunes and Podcasts, I am overloaded on things I really want to watch, but don’t have time.

MarsEdit – New Favorite Blog Tool

MarsEdit works well for what I want to do with it.

http://www.red-sweater.com/marsedit/

My old favorite Blogo, appears to now be a dead product. It doesn’t work with Mac OS X Lion, and there doesn’t seem to be any activity to fix it.

I also give MarsEdit extra points for being available in the Mac App store.

 

Manually Deleting Applications on the Mac

My quick list of things to look for when deleting Mac applications manually. Most mac applications seem well behaved and only populate things in /Applications and maybe a couple things in ~/Library. Other applications seems to try to put things in all sort of directories and even their own uninstaller doesn’t clean up after them. Today’s problem child is Mark/Space’s Missing Sync. I ran the uninstaller, but it left behind a lot of stuff. So this is just my list of places to go look to uninstall the remaining pieces of applications.

• First look to see if they have an uninstaller in /Applications
• Re-download the package and see if the package comes with an uninstaller.
• Applications, look for Applications and Folders named for what you want to uninstall.
• Run AppZapper if there is no uninstaller
• /Library/Application Support
• /Library/Frameworks
• /Library/Preferences
• /Library/LaunchAgents
• /Library/LaunchDaemons
• /System/Library/Extensions
• ~/Library/Application Support
• ~/Library/Preferences