Index of /Templates_4.1

Qubes templates

All templates are signed with my Qubes OS Signing key:

pub   rsa4096 2016-06-25 [SC]
      4B1F 400D F256 51B5 3C41  41B3 8B3F 30F9 C8C0 C2EF
uid           [ unknown] unman (Qubes OS signing key) 
sub   rsa4096 2016-06-27 [S] [expires: 2024-06-30]
sub   rsa4096 2016-06-25 [E]

You can read about how to get a copy of the key, and how to validate it here.
You will need to copy the key in to dom0:


qvm-run -p  qube 'cat PATH_TO_KEY ' > RPM-GPG-KEY-unman

and then move it into place:


sudo mv RPM-GPG-KEY-unman /etc/pki/rpm-gpg/RPM-GPG-KEY-unman

Download the template you want to use, and copy it into dom0:
qvm-run -p QUBE 'cat PATH_TO_DOWNLOADED_TEMPLATE ' > TEMPLATE_PACKAGE_NAME
replacing TEMPLATE_PACKAGE_NAME with a name of your choice.
Then check the signature by (e.g):
rpm -K TEMPLATE_PACKAGE_NAME

Install the template using qvm-template:
qvm-template install --keyring /etc/pki/rpm-gpg/RPM-GPG-KEY-unman FULL_PATH_TO_DOWNLOADED_TEMPLATE

Using qvm-template

It is also possible to use the native Qubes tools for template management.
To do this you will need to copy the key to dom0, as above, and move it:


sudo mv RPM-GPG-KEY-unman /etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman

You will also need to create the repository definition.
Create a file at /etc/qubes/repo-templates/3isec-templates.repo, with this content:


[3isec-templates]
name = 3isec Qubes Templates Repository (updates)
baseurl = https://qubes.3isec.org/rpm/r$releasever/templates
skip_if_unavailable = False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:////etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman

Now you can use qvm-template or qvm-template-gui, as normal.

Rolling distros - Parrot, Arch, Kali

Templates like Parrot or Kali are based on Debian testing.
To avoid breakage when updating, the core Qubes packages are on hold.
This means that they will not be updated.
You can confirm this by running apt-mark showhold in the template.
apt-mark unhold will remove the hold, and allow you to update the Qubes packages.
I suggest you restore the hold apt-mark hold to make sure that the Qubes packages are not removed when updating other packages.

So, while updating a template you will see that some packages cannot be upgraded because they will conflict with the Qubes packages.
Periodically, in the template, remove the hold on the Qubes packages. Update the package list with apt update and then update the Qubes packages - either manually with apt install... , or using a manager like aptitude, and selecting Qubes packages for upgrade.
Once the upgrade has been completed, put the Qubes packages back on hold, and upgrade again.

Undoubtedly a pain, but less than the pain of breaking your qubes, and having to crawl backwards to get them working again.
Then again, if you use aptitude you would be able to see what changes would be made, opt to retain the Qubes packages - always keep the Qubes packages, and avoid breakage that way. This depends on you looking to see what changes will be made and acting accordingly. Using apt-mark hold will take some pressure off.

Installing large templates

In 4.1, dom0 is pegged at 20G by default.
This means that you will not be able to install the larger templates, like parrot, without taking some action.
The easiest thing to do is to increase the size of dom0. On a default install you can do this simply enough by:


	sudo lvresize --size 40G /dev/qubes_dom0/root


	sudo resize2fs /dev/mapper/qubes_dom0-root

For more details and options, look here.

Repository definitions and apt-cacher-ng

Very often, the repository definitions in these templates are modified to enable use of the apt-cacher-ng caching proxy. Instead of https:// the definitions have http://HTTPS/// - this is so that the caching proxy can see the request, and then connect to the repository over https. You can read about this here
If you use apt-cacher-ng, that's fine. Everything will just work™.
If you do not use apt-cacher-ng, then you can install it using this tool.
If you do not use apt-cacher-ng, or you do not want to use it for this template, edit the repository definitions, replacing http://HTTPS/// with https://

Always check that the repository definitions suit your use case.

unman