5 Jan
2021
5 Jan
'21
7:27 p.m.
Hi,
I've been running Qubes for a few years now and I'd like to give
Spectrum a try, as I've been having some hardware and performance
problems with Qubes. Is there some up-to-date guide I can follow? I
found https://alyssa.is/using-virtio-wl/#demo and was able to see the
weston terminal. I also tried updating to the latest commit and was
able to get a nested wayfire window with:
nix-build . -A spectrumPackages && ./result-3/bin/spectrum-vm
(I'm fairly new to Nix, so not sure if this is the right way to do things)
I managed to change the keyboard layout, mount a tmpfs for home, and
increase the memory enough to start firefox, but I haven't managed to
get much further. Things I tried so far:
- I tried replacing wayfire with weston-terminal, to avoid the nested
session. But sommelier segfaults when I do that.
- I tried adding `--shared-dir /tmp/ff:ff:type=9p` to share a host
directory. Then `mount -t 9p -o trans=virtio,version=9p2000.L ff /tmp`
in the VM seemed to work, but `ls /tmp` crashed the VM.
- I tried using `-d /dev/mapper/disk` to share an LVM partition, but
`mount -t ext4 /dev/vdb /tmp` refused to mount it.
- I tried enabling networking with `--host_ip 10.0.0.1`, etc, but it
said it couldn't create a tap device. I guess it needs more
privileges.
Ideally, I'd like to run a VM with each of my old Qubes filesystems,
to get back to where I was with my Qubes setup, before investigating
new spectrum stuff (e.g. one app per VM). Do you have any advice on
this? I see these lists are a bit quiet - I hope someone is still
working on this because it sounds great :-)
Thanks!
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
5 Jan
5 Jan
8:09 p.m.
I've been running Qubes for a few years now and
I'd like to give
Spectrum a try, as I've been having some hardware and performance
problems with Qubes. Is there some up-to-date guide I can follow? I
Well, there are currently tools as in building blocks, but not yet
something announced as a complete solution for a usease.
found https://alyssa.is/using-virtio-wl/#demo and was
able to see the
weston terminal. I also tried updating to the latest commit and was
able to get a nested wayfire window with:
nix-build . -A spectrumPackages && ./result-3/bin/spectrum-vm
(I'm fairly new to Nix, so not sure if this is the right way to do things)
I managed to change the keyboard layout, mount a tmpfs for home, and
increase the memory enough to start firefox, but I haven't managed to
get much further. Things I tried so far:
- I tried replacing wayfire with weston-terminal, to avoid the nested
session. But sommelier segfaults when I do that.
- I tried adding `--shared-dir /tmp/ff:ff:type=9p` to share a host
directory. Then `mount -t 9p -o trans=virtio,version=9p2000.L ff /tmp`
in the VM seemed to work, but `ls /tmp` crashed the VM.
- I tried using `-d /dev/mapper/disk` to share an LVM partition, but
`mount -t ext4 /dev/vdb /tmp` refused to mount it.
- I tried enabling networking with `--host_ip 10.0.0.1`, etc, but it
said it couldn't create a tap device. I guess it needs more
privileges.
Ideally, I'd like to run a VM with each of my old Qubes filesystems,
Depending on how the device setup ends up going, that might be practical
or not so practical (although hopefully a reasonable amount of driver
and window system setup inside each VM should be enough in any case)
to get back to where I was with my Qubes setup, before
investigating
new spectrum stuff (e.g. one app per VM). Do you have any advice on
this? I see these lists are a bit quiet - I hope someone is still
working on this because it sounds great :-)
1) Alyssa is still working on it
2) There is a grant with some milestones still to be reached (and some
earlier ones ahve been paid) and some support from people sponsoring
Alyssa's work via GitHub
3) Alyssa does so much of the work alone, that a lot of things are just…
done without any discussion; some of the discussions are via IRC.
4) Alyssa has mentioned taking a break, and she has not yet announced
being back from the break (which is in line with the planned duration of
the break)
PS. On the other had, do not forget that SpectrumOS aims at better
efficiency in some places, meaning it is almost sure to end up less
secure than Qubes, and the first usable version will likely still be
a prototype with even lower level of security due to compromises in the
component choice.
6 Jan
6 Jan
7:04 a.m.
New subject: Alyssa's break
4) Alyssa has mentioned taking a break, and she has
not yet announced
being back from the break (which is in line with the planned duration of
the break)
Quick update on this -- I'm starting to feel ready to return and have a
plan for it, although there's some behind-the-scenes stuff I need to
sort out before I'll be back writing code. :)
9:11 a.m.
New subject: Alyssa's break
On 1/6/21 7:04 AM, Alyssa Ross wrote:
Good to hear from you, Alyssa! Happy New Year, and take good care of yourself.
The project can wait, self-care is important. :-)
--
Best,
r
4) Alyssa has
mentioned taking a break, and she has not yet announced
being back from the break (which is in line with the planned duration of
the break)
Quick update on this -- I'm starting to feel ready to return and have a
plan for it, although there's some behind-the-scenes stuff I need to
sort out before I'll be back writing code. :)
7 a.m.
Hi! Thanks for getting in touch. :)
To be honest, I'm surprised you got as far as you did -- like Michael
says, I'm currently working towards a proof of concept, so none of what
you've tried out so far is really meant for use outside of that proof of
concept.
I've been running Qubes for a few years now and
I'd like to give
Spectrum a try, as I've been having some hardware and performance
problems with Qubes. Is there some up-to-date guide I can follow? I
found https://alyssa.is/using-virtio-wl/#demo and was able to see the
weston terminal. I also tried updating to the latest commit and was
able to get a nested wayfire window with:
nix-build . -A spectrumPackages && ./result-3/bin/spectrum-vm
(I'm fairly new to Nix, so not sure if this is the right way to do things)
Pretty close -- spectrumPackages is an attribute set containing lots of
derivations, which is why you end up with lots of numbered result-*
symlinks. If you do -A spectrumPackages.spectrum-vm it'll just give you
a single result symlink pointing to that, and you won't need to go
hunting for the right one. :)
I managed to change the keyboard layout, mount a tmpfs
for home, and
increase the memory enough to start firefox, but I haven't managed to
get much further. Things I tried so far:
- I tried replacing wayfire with weston-terminal, to avoid the nested
session. But sommelier segfaults when I do that.
I'm surprised -- this has worked for me before, although it's been a
while since I tried this so maybe I changed something.
- I tried adding `--shared-dir /tmp/ff:ff:type=9p` to
share a host
directory. Then `mount -t 9p -o trans=virtio,version=9p2000.L ff /tmp`
in the VM seemed to work, but `ls /tmp` crashed the VM.
Yeah, this is a known issue. I have a patch[1] for it but didn't add it
to the package since I mostly have been working with my own source
builds of crosvm.
[1]:
https://spectrum-os.org/git/crosvm/commit/?id=1e318da5b57c12f67bed3b528100d…
- I tried using `-d /dev/mapper/disk` to share an LVM
partition, but
`mount -t ext4 /dev/vdb /tmp` refused to mount it.
Never tried that, so I don't know anything about it I'm afraid.
- I tried enabling networking with `--host_ip
10.0.0.1`, etc, but it
said it couldn't create a tap device. I guess it needs more
privileges.
Yeah, crosvm needs to be CAP_NET_ADMIN for that (which is difficult to
do with Nix). You can make a TAP device yourself iproute2 and use
--tap-fd to tell crosvm to use it, or you can use the mktuntap program I
wrote (with a privelege drop after running mktuntap), like this:
sudo mktuntap -pvB 3 \
sudo -u $USER -C 4 result/bin/spectrum-vm -- --tap-fd 3
Ideally, I'd like to run a VM with each of my old
Qubes filesystems,
to get back to where I was with my Qubes setup, before investigating
new spectrum stuff (e.g. one app per VM). Do you have any advice on
this? I see these lists are a bit quiet - I hope someone is still
working on this because it sounds great :-)
Like Michael said, there's a lot I need to do before it's really ready
to use like this, but I am working on it (or at least I will be again
once my anti-burnout break ends). Once I am, I hope to be more active
on the lists again. I used to post weekly status updates, and would
like to get into doing that again once I'm back because they were a
great way to keep people up to date with the project and for me to have
a record of what I'd been doing. Reading some of the old status updates
should give you a bit of a feel for where things are, although things
are a bit further along than they were when I wrote the last one because
I put the status updates on hold to try to chase a funding milestone.
Hope that's all clear -- please ask more questions if you have them,
although if it's anything particularly in the weeds I might wait until
I'm back from my break to answer. :)
3:56 p.m.
On Wed, 6 Jan 2021 at 07:01, Alyssa Ross <hi(a)alyssa.is> wrote:
That's better, thanks!
[...]
Ah, I didn't realise it was using seccomp too. I'm not sure how to
compile specific versions of crosvm. I tried with:
srcs = lib.genAttrs [
"src/third_party/adhd"
"src/aosp/external/minijail"
] getSrc // { "src/platform/crosvm" = /home/.../crosvm; };
and blanked out the hash as it requested, but then:
error: failed to sync Caused by: failed to load pkg lockfile Caused
by: failed to resolve patches for
`https://github.com/rust-lang/crates.io-index` Caused by: failed to
load source for dependency `libvda` Caused by: Unable to update
/build/src/platform2/arc/vm/libvda/rust Caused by: failed to read
`/build/src/platform2/arc/vm/libvda/rust/Cargo.toml`
Looks like this happens since 57df6a0ab23c3b2ba233b9aa5886ecf47ba3f91f
(added a dependency?). Commit 460406d10bbfaa890d56d616b4610813da63a312
just before that gets further, but:
error: the lock file /build/src/platform/crosvm/Cargo.lock needs to be
updated but --frozen was passed to prevent this
How do you build it?
(sorry for these basic Nix/Rust questions)
However, I could get 9p to work by running the previous version with
--seccomp-log-failures. With that, I can read and write files from the
console, but I can't chown things and so can't write from the terminal
window, which is running as a user. I guess it needs uidmap set, but
I'm not sure how to make that work.
OK, I'll keep trying stuff. I have discovered that if I add the
squashfs file as another device (--root "$rootfs" -d "$rootfs") then
it shows an error but mounts it anyway!
# ls /tmp
# mount /dev/vdb /tmp
[ 15.288873] /dev/vdb: Can't open blockdev
# ls /tmp
bin dev etc nix proc run sbin sys tmp
Sadly, this didn't work with my ext4 partition.
OK, I tried like this:
exec sudo "$mktuntap" -pvB 3 \
sudo -u "$USER" -C 4 \
"$crosvm" run \
-p init=/sbin/init \
-p "spectrumcmd=$(printf %s "$command" | base64 -w0)" \
--tap-fd 3 \
--seccomp-log-failures \
--root "$rootfs" \
--host_ip 10.0.0.1 \
--netmask 255.0.0.0 \
--mac c0:ff:ee:c0:ff:ee \
-m 4096 \
"$@" \
"$kernel"
I got "sudo: you are not permitted to use the -C option", which I
fixed by editing the sudoers file. Then it fails with:
[ERROR:src/main.rs:1351] The architecture failed to build the vm:
error creating devices: failed to set up virtio networking: failed to
open tap device: failed to create tap interface: Operation not
permitted (os error 1)
Strace shows:
openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK|O_CLOEXEC) = 31
ioctl(31, TUNSETIFF, 0x7ffee7ede238) = -1 EPERM (Operation not permitted)
Maybe it's just because my crosvm is too old?
Great! I'm on a break myself at the moment, which is why I have some
time to try all this out.
Hi! Thanks for getting in touch. :)
To be honest, I'm surprised you got as far as you did -- like Michael
says, I'm currently working towards a proof of concept, so none of what
you've tried out so far is really meant for use outside of that proof of
concept.
[...]
nix-build
. -A spectrumPackages && ./result-3/bin/spectrum-vm
(I'm fairly new to Nix, so not sure if this is the right way to do things)
Pretty close -- spectrumPackages is an attribute set containing lots of
derivations, which is why you end up with lots of numbered result-*
symlinks. If you do -A spectrumPackages.spectrum-vm it'll just give you
a single result symlink pointing to that, and you won't need to go
hunting for the right one. :) - I tried
adding `--shared-dir /tmp/ff:ff:type=9p` to share a host
directory. Then `mount -t 9p -o trans=virtio,version=9p2000.L ff /tmp`
in the VM seemed to work, but `ls /tmp` crashed the VM.
Yeah, this is a known issue. I have a patch[1] for it but didn't add it
to the package since I mostly have been working with my own source
builds of crosvm.
[1]:
https://spectrum-os.org/git/crosvm/commit/?id=1e318da5b57c12f67bed3b528100d…
- I tried
using `-d /dev/mapper/disk` to share an LVM partition, but
`mount -t ext4 /dev/vdb /tmp` refused to mount it.
Never tried that, so I don't know anything about it I'm afraid. - I tried
enabling networking with `--host_ip 10.0.0.1`, etc, but it
said it couldn't create a tap device. I guess it needs more
privileges.
Yeah, crosvm needs to be CAP_NET_ADMIN for that (which is difficult to
do with Nix). You can make a TAP device yourself iproute2 and use
--tap-fd to tell crosvm to use it, or you can use the mktuntap program I
wrote (with a privelege drop after running mktuntap), like this:
sudo mktuntap -pvB 3 \
sudo -u $USER -C 4 result/bin/spectrum-vm -- --tap-fd 3 Ideally,
I'd like to run a VM with each of my old Qubes filesystems,
to get back to where I was with my Qubes setup, before investigating
new spectrum stuff (e.g. one app per VM). Do you have any advice on
this? I see these lists are a bit quiet - I hope someone is still
working on this because it sounds great :-)
Like Michael said, there's a lot I need to do before it's really ready
to use like this, but I am working on it (or at least I will be again
once my anti-burnout break ends). Once I am, I hope to be more active
on the lists again. I used to post weekly status updates, and would
like to get into doing that again once I'm back because they were a
great way to keep people up to date with the project and for me to have
a record of what I'd been doing. Reading some of the old status updates
should give you a bit of a feel for where things are, although things
are a bit further along than they were when I wrote the last one because
I put the status updates on hold to try to chase a funding milestone.
I've read some of them - they're very helpful!
Hope that's all clear -- please ask more questions
if you have them,
although if it's anything particularly in the weeds I might wait until
I'm back from my break to answer. :)
I have many questions :-) But don't feel pressured to answer them; I
need to figure out how to make this all work myself anyway, and it's
just a bonus if you've already done the work for me...
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
7 Jan
7 Jan
11:38 a.m.
On Wed, 6 Jan 2021 at 15:56, Thomas Leonard <talex5(a)gmail.com> wrote:
[...]
exec sudo "$mktuntap" -pvB 3 \
sudo -u "$USER" -C 4 \
"$crosvm" run \
-p init=/sbin/init \
-p "spectrumcmd=$(printf %s "$command" | base64 -w0)" \
--tap-fd 3 \
--seccomp-log-failures \
--root "$rootfs" \
--host_ip 10.0.0.1 \
--netmask 255.0.0.0 \
--mac c0:ff:ee:c0:ff:ee \
-m 4096 \
"$@" \
"$kernel"
I got "sudo: you are not permitted to use the -C option", which I
fixed by editing the sudoers file. Then it fails with:
[ERROR:src/main.rs:1351] The architecture failed to build the vm:
error creating devices: failed to set up virtio networking: failed to
open tap device: failed to create tap interface: Operation not
permitted (os error 1)
D'oh! I just realised you're not supposed to use the other network
options when using `--tap-fd`!
I was then able to browse the web from crosvm, like this:
- Add pkgs/os-specific/linux/spectrum/rootfs/etc/resolv.conf with e.g.
"nameserver 8.8.8.8".
- Configure the virtual eth0 in the VM setup script:
foreground { ifconfig eth0 10.0.0.2 up }
foreground { route add default gateway 10.0.0.1 }
- Enable NAT in configuration.nix, e.g.
networking.nat = {
enable = true;
externalInterface = "eno2";
internalIPs = [ "10.0.0.0/8" ];
};
- Start the VM.
- Run "sudo ifconfig tap0 10.0.0.1 up" on host.
- Run firefox in VM to browse the web :-)
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
3:33 p.m.
On Wed, 6 Jan 2021 at 15:56, Thomas Leonard <talex5(a)gmail.com> wrote:
[...]
Sadly, this didn't work with my ext4 partition.
This turned out to be just because ext4 is compiled as a module, and
/lib isn't in the root filesystem.
Adding "EXT4_FS = yes" to the kernel configuration fixed it.
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
14 Jan
14 Jan
12:29 p.m.
- I tried adding `--shared-dir /tmp/ff:ff:type=9p` to
share a host
directory. Then `mount -t 9p -o trans=virtio,version=9p2000.L ff /tmp`
in the VM seemed to work, but `ls /tmp` crashed the VM.
Yeah, this is a known issue. I have a patch[1] for it but didn't add it
to the package since I mostly have been working with my own source
builds of crosvm.
[1]:
https://spectrum-os.org/git/crosvm/commit/?id=1e318da5b57c12f67bed3b528100d…
Yeah, crosvm
needs to be CAP_NET_ADMIN for that (which is difficult to
do with Nix). You can make a TAP device yourself iproute2 and use
--tap-fd to tell crosvm to use it, or you can use the mktuntap program I
wrote (with a privelege drop after running mktuntap), like this:
sudo mktuntap -pvB 3 \
sudo -u $USER -C 4 result/bin/spectrum-vm -- --tap-fd 3
OK, I tried like this:
exec sudo "$mktuntap" -pvB 3 \
sudo -u "$USER" -C 4 \
"$crosvm" run \
-p init=/sbin/init \
-p "spectrumcmd=$(printf %s "$command" | base64 -w0)" \
--tap-fd 3 \
--seccomp-log-failures \
--root "$rootfs" \
--host_ip 10.0.0.1 \
--netmask 255.0.0.0 \
--mac c0:ff:ee:c0:ff:ee \
-m 4096 \
"$@" \
"$kernel"
I got "sudo: you are not permitted to use the -C option", which I
fixed by editing the sudoers file. Then it fails with:
[ERROR:src/main.rs:1351] The architecture failed to build the vm:
error creating devices: failed to set up virtio networking: failed to
open tap device: failed to create tap interface: Operation not
permitted (os error 1)
Strace shows:
openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK|O_CLOEXEC) = 31
ioctl(31, TUNSETIFF, 0x7ffee7ede238) = -1 EPERM (Operation not permitted)
Maybe it's just because my crosvm is too old? Hope
that's all clear -- please ask more questions if you have them,
although if it's anything particularly in the weeds I might wait until
I'm back from my break to answer. :)
I have many questions :-) But don't feel pressured to answer them; I
need to figure out how to make this all work myself anyway, and it's
just a bonus if you've already done the work for me...
12:51 p.m.
OK, I tried like this:
exec sudo "$mktuntap" -pvB 3 \
sudo -u "$USER" -C 4 \
"$crosvm" run \
-p init=/sbin/init \
-p "spectrumcmd=$(printf %s "$command" | base64 -w0)" \
--tap-fd 3 \
--seccomp-log-failures \
--root "$rootfs" \
--host_ip 10.0.0.1 \
--netmask 255.0.0.0 \
--mac c0:ff:ee:c0:ff:ee \
-m 4096 \
"$@" \
"$kernel"
I got "sudo: you are not permitted to use the -C option", which I
fixed by editing the sudoers file. Then it fails with:
[ERROR:src/main.rs:1351] The architecture failed to build the vm:
error creating devices: failed to set up virtio networking: failed to
open tap device: failed to create tap interface: Operation not
permitted (os error 1)
Strace shows:
openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK|O_CLOEXEC) = 31
ioctl(31, TUNSETIFF, 0x7ffee7ede238) = -1 EPERM (Operation not permitted)
Maybe it's just because my crosvm is too old?
This is because if you specify --host_ip, --netmask, or --mac, crosvm
will try to create its own TAP device. If you omit all those arguments
I think it should work.
20 Jan
20 Jan
1:04 p.m.
On Thu, 14 Jan 2021 at 12:51, Alyssa Ross <hi(a)alyssa.is> wrote:
[...]
Oh, whoops, I missed your reply about having worked
this out already!
Yeah, disk and networking is OK now.
I also managed to fix the fonts, by using `export FONTCONFIG_FILE
/etc/fonts/fonts.conf`. By default, it didn't have a monospace font
available, which was pretty hard to read in the terminal.
I want to get wayland forwarding working next. For now, I'm using `ssh
-Y` to my VM to forward X. It works, but it's a little slow.
I set `export WAYLAND_DEBUG 1`, and tried weston-terminal again. That produced:
[...]
[446067.157] -> wl_region(a)21.destroy()
[446067.481] -> wl_surface@16.set_input_region(wl_region@22)
[446068.036] -> wl_region(a)22.destroy()
[446068.412] -> wl_surface@16.attach(wl_buffer@24, 0, 0)
[446069.190] -> wl_surface(a)16.damage(0, 0, 806, 539)
[446070.141] -> wl_surface(a)16.commit()
[446070.531] wl_keyboard(a)20.keymap(1, fd 8, 48869)
[ 1.796076] sommelier[88]: segfault at 30 ip 00007fa5376062c0 sp
00007ffe128592c8 error 4 in
libwayland-client.so.0.3.0[7fa537604000+6000]
[ 1.798026] Code: ff ff ff 5d 41 5c c3 0f 1f 00 48 8d b7 d0 00 00
00 e9 e4 df ff ff 0f 1f 40 00 48 89 77 30 c3 66 66 2e 0f 1f 84 00 00
00 00 00 <48> 8b 47 30 c3 66 66 2e 0f 1f 84 00 00 00 00 00 8b 47 40 c3
66 66
Looking at the crash, I think it's actually the `set_input_region`
getting `null`, but not sure why yet. I'm currently reading the Nix
manual to get a better understanding of how this is all built, and the
wayland docs to find out how that's supposed to work...
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
27 Jan
27 Jan
5:31 p.m.
I've made a bit of progress this week:
It turns out that weston-terminal crashes sommelier if started when
the clipboard is empty, due to trying to dereference NULL. I've
patched it to fix that, and now I can run it directly under sommelier,
without wayfire. I made a few other changes to sommelier too:
- I switched to the latest version, which provides meson instead of
common-mk for building. Also, they removed the demos and got rid of
some bogus dependencies. That simplified the build a lot!
- They switched to the stable XDG protocols, but then reverted it
again. I unreverted it to get things going again. Not sure if I did it
right (they migrated from C to C++ so the patch didn't apply
directly).
- I added xwayland to the VM and sommelier command, allowing X
applications to run in the VM.
- By default sommelier runs the program with an already-open socket,
which doesn't work if the program (or its children) want to open
multiple connections.
I was able to fix that by using `--parent` mode, and getting rid of
PEER_CMD_PREFIX (which just adds some chromium paths preventing it
from working).
- Note: in `--parent` mode it waits for the process to exit before
processing events on the socket, so if you just run an application
directly it will hang. I used `bash -c 'firefox &'` as the command as
a work-around.
- Some programs (e.g. firefox) refused to start because the protocol
versions offered by sommelier were too old. I increased the version
numbers and that's working now. It needs doing properly, though. e.g.
I implemented the new "sl_host_surface_damage_buffer" by simply
calling the old damage function, which is obviously not correct but is
working for me so far!
- Annoyingly, using `--parent` disables xwayland support. Maybe we
should run xwayland manually, or use a second sommelier instance?
In general, sommelier seems quite buggy and annoying. I guess it will
need updating constantly to proxy every new wayland protocol. Yet it
can't add any useful security because it runs inside the VM, and is
therefore untrusted.
Some other changes that I found useful:
- I added the generated kernel modules directory to rootfs, which
allows using all the normal features of Linux (e.g. ext4) in the VM.
- I switched from `bash` to `bashInteractive` as the VM shell, which
gets cursor keys working.
- I wrote a Nix package to generate one script for each of my old
qubes. So e.g. I can now run `qvm-start-shopping` to start my crosvm
shopping instance, with its own /home LVM partition and IP address. It
passes the network configuration using some new kernel parameters
(alongside spectrumcmd).
- I put each VM on its own point-to-point virtual network. These
networks are set up by /etc/nixos/configuration.nix. That works well
for my qubes-like VMs, though I guess spectrum will need something
more dynamic.
- I enabled the shared filesystem (VIRTIO_FS), which works nicely. I
use it to provide a (separate) shared directory to each VM that I can
access from the host.
One problem is that the crosvm driver runs in a minijail with a
uidmap that makes every file appear to be owned by root, so only root
can write things in the VM.
Possibly a newer kernel would help; later versions of the kernel
docs say you can include any normal FUSE flags here, so mounting with
`uid=1000` might work.
- Finally, I added a `vm-halt` command that just calls `reboot`, as I
don't want to develop the habit of typing `reboot` without thinking
;-)
If any of this sounds useful for spectrum let me know. I can try and
tidy it up; it's all a huge mess at the moment!
Once this is working more smoothly, I guess the next issues will be
setting up some kind of secure window manager on the host (e.g.
labelling windows with the VM they come from, not allowing
screenshots, etc). Would also be good to get sound forwarding working
somehow (Qubes routes pulseaudio to all the VMs and gives you a mixer
to control the levels for each, but I don't know how that worked). It
also needs some kind of VM manager to keep track of which VMs are
running. And some kind of IPC system like qrexec would be useful. Do
you have thoughts or plans about how to do any of this?
On Wed, 20 Jan 2021 at 13:04, Thomas Leonard <talex5(a)gmail.com> wrote:
On Thu, 14 Jan 2021 at 12:51, Alyssa Ross <hi(a)alyssa.is> wrote:
[...]
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
Oh, whoops, I missed your reply about having
worked this out already!
Yeah, disk and networking is OK now.
I also managed to fix the fonts, by using `export FONTCONFIG_FILE
/etc/fonts/fonts.conf`. By default, it didn't have a monospace font
available, which was pretty hard to read in the terminal.
I want to get wayland forwarding working next. For now, I'm using `ssh
-Y` to my VM to forward X. It works, but it's a little slow.
I set `export WAYLAND_DEBUG 1`, and tried weston-terminal again. That produced:
[...]
[446067.157] -> wl_region(a)21.destroy()
[446067.481] -> wl_surface@16.set_input_region(wl_region@22)
[446068.036] -> wl_region(a)22.destroy()
[446068.412] -> wl_surface@16.attach(wl_buffer@24, 0, 0)
[446069.190] -> wl_surface(a)16.damage(0, 0, 806, 539)
[446070.141] -> wl_surface(a)16.commit()
[446070.531] wl_keyboard(a)20.keymap(1, fd 8, 48869)
[ 1.796076] sommelier[88]: segfault at 30 ip 00007fa5376062c0 sp
00007ffe128592c8 error 4 in
libwayland-client.so.0.3.0[7fa537604000+6000]
[ 1.798026] Code: ff ff ff 5d 41 5c c3 0f 1f 00 48 8d b7 d0 00 00
00 e9 e4 df ff ff 0f 1f 40 00 48 89 77 30 c3 66 66 2e 0f 1f 84 00 00
00 00 00 <48> 8b 47 30 c3 66 66 2e 0f 1f 84 00 00 00 00 00 8b 47 40 c3
66 66
30
days inactive
52
days old
11 comments
4 participants
participants (4)
-
Alyssa Ross -
Michael Raskin -
Michał "rysiek" Woźniak -
Thomas Leonard