qubes-cheatsheet.txt

Qubes Cheatsheet

_a summary of useful qubes commands_

version: 3.2

Mini Glossary

-   Xen - _Hypervisor_
-   VM - _Virtual Machine_
-   Qube - _Qubes OS specific alias for VM_
-   Dom0 - _Priviledged Xen VM (runs Qubes Manager)_
-   DomU - _Normal Xen VM_
-   QWT - _Qubes Windows Tools_
-   PV - _Paravirtualized VM_
-   HVM - _Hardware Virtual Machine_
-   HVM + PV drivers - _HVM with PV drivers (Windows + QWT)_
-   GUI - _Graphical User Interface_

VM Management

_NOTE: All commands are executed in @Dom0 terminal (Konsole, Terminal,
Xterm etc.)_

qubes-manager

- _Graphical VM Manager_

usage: qubes-manager

qvm-block

- _Lists/attaches VM PCI devices_

usage:

-   qvm-block -l [options]

-   qvm-block -a [options] <device> <vm-name>

-   qvm-block -d [options] <device>

-   qvm-block -d [options] <vm-name>

---

qvm-block -A personal dom0:/home/user/extradisks/data.img - _attaches an
additional storage for the personal-vm_

qvm-clone

- _Clones an existing VM by copying all its disk files_

usage: qvm-clone [options] <existing-vm-name> <new-clone-vm-name>

---

qvm-clone fedora-23 fedora-23-dev - _create a clone of fedora-23 called
fedora-23-dev_

qvm-firewall

- _Manage VM firewall rules_

usage: qvm-firewall -l [-n] <vm-name>

---

qvm-firewall -l personal - _displays the firewall settings for the
personal-vm_

qvm-firewall -l -n fedora-23 - _displays the firewall settings for the
personal-vm with port numbers_

qvm-ls

- _Lists VMs and various information about their state_

usage: qvm-ls [options] <vm-name>

---

qvm-ls - _lists all vms_

qvm-ls -n - _show network addresses assigned to VMs_

qvm-ls -d - _show VM disk utilization statistics_

qvm-prefs

- _List/set various per-VM properties_

usage:

-   qvm-prefs -l [options] <vm-name>

-   qvm-prefs -s [options] <vm-name> <property> [...]

---

qvm-prefs win7-copy - _lists the preferences of the win7-copy_

qvm-prefs win7-copy -s mac 00:16:3E:5E:6C:05 - _sets a new mac for the
network card_

qvm-prefs lab-win7 -s qrexec_installed true - _sets the qrexec to
installed_

qvm-prefs lab-win7 -s qrexec_timeout 120 - _usefull for windows hvm
based vms_

qvm-prefs lab-win7 -s default_user joanna - _sets the login user to
joanna_

qvm-run

- _Runs a specific command on a vm_

usage: qvm-run [options] [<vm-name>] [<cmd>]

---

qvm-run personal xterm - _runs xterm on personal_

qvm-run personal xterm --pass-io - _runs xterm and passes all
sdtin/stdout/stderr to the terminal_

qvm-run personal "sudo dnf update" --pass-io --nogui - _pass a
dnf update command directly to the VM_

qvm-start

- _Starts a vm_

usage: qvm-start [options] <vm-name>

---

qvm-start personal - _starts the personal-vm_

qvm-start ubuntu --cdrom personal:/home/user/Downloads/ubuntu-14.04.iso
- _starts the ubuntu-vm with the ubuntu installation CD_

qvm-shutdown

- _Stops a vm_

usage: qvm-shutdown [options] <vm-name>

---

qvm-shutdown personal - _shutdowns the personal-vm_

qvm-shutdown --all - _shutdowns all VM’s_

qvm-kill

- _Kills a VM - same as pulling out the power cord - immediate shutdown_

usage: qvm-kill [options] <vm-name>

---

qvm-kill personal - _pull the power cord for the personal-vm - immediate
shutdown_

qvm-trim-template

- _Trims the disk space of a template_

usage: qvm-trim-template <template-name>

---

qvm-trim-template debian-8 - _helpful after upgrading or removing many
packages/files in the template_

qvm-sync-appmenus

- _Updates desktop file templates for given StandaloneVM or TemplateVM_

usage: qvm-sync-appmenus [options] <vm-name>

---

qvm-sync-appmenus archlinux-template - _useful for custom .desktop files
or distributions not using dnf_

Dom0

qubes-dom0-update

- _Updates or installes software in dom0_

usage:
qubes-dom0-update [--enablerepo][--disablerepo][--clean][--check-only][--gui][--action=*][<pkg list>]

or

usage: qubes-dom0-update

---

qubes-dom0-update --check-only - _checks if new dom0 updates are
available_

sudo qubes-dom0-update - _updates dom0_

sudo qubes-dom0-update --gui - _allows to update dom0 through a
graphical window_

---

sudo qubes-dom0-update --action=search <search-term> - _searches for
package in dom0 repositories_

example:

sudo qubes-dom0-update --action=search qubes - _searches for all qubes
package in dom0 repositories_

_NOTE: The tool excludes all templates (community and ITL) by default_

---

sudo qubes-dom0-update --action=info <package-name> - _displays infos
about the package_

example:

sudo qubes-dom0-update --action=info qubes-core-dom0 - _displays infos
about the qubes-core-dom0 package_

qubes-hcl-report

- _Generates a report about the system hardware information_

usage: qubes-hcl-report [-s] [<vm-name>]

---

qubes-hcl-report - _prints the hardware information on the console
(terminal)_

qubes-hcl-report personal - _sends the hardware information to the
personal-vm under /home/user_

qubes-hcl-report -s - _prints the hardware information on the console
(terminal) and generates more detailed report_

qubes-hcl-report -s personal - _sends the detailed hardware information
report to the personal-vm_

NOTE: qubes-hcl-report -s [<vm-name>] generates a more detailed report.
This report can contain sensitive information. Please do not upload the
report if you do not want to share those information.

virsh

- _Management user tool for libvirt (hypervisor abstraction)_

usage: virsh -c xen:/// <command> [<vm-name>]

---

virsh -c xen:/// list - _list running VM’s with additional information_

virsh -c xen:/// list --all - _list all VM’s with additional
information_

virsh -c xen:/// dominfo personal - _lists status of personal VM_

xl

- _Xen management tool, based on LibXenlight_

usage: xl <subcommand> [<args>]

---

xl top - _Monitor host and domains in realtime_

DomU

qvm-copy-to-vm

- _Copy file from one VM to another VM_

usage: qvm-copy-to-vm <vm-name> <file> [<file+>] - _file_ can be a
single file or a folder

---

qvm-copy-to-vm work Documents - _copy the Documents folder to the work
VM_

qvm-copy-to-vm personal text.txt - _copy the text.txt file to the
personal VM_

EXAMPLE

-   Open a terminal in AppVM A (e. g. your personal vm)
-   Let’s assume we want to copy the Documents folder to AppVM B (e. g.
    your work VM)
-   The command would be: qvm-copy-to-vm work Documents

qvm-open-in-vm

- _Opens file in another VM_

usage: qvm-open-in-vm <vm-name> <file> - _file_ can only be a single
file

---

qvm-open-in-vm personal document.pdf - _opens document.pdf in the
personal VM_

qvm-copy-to-vm personal download.zip - _opens download.zip in the
personal VM_

DomU and Dom0

List Qubes commands

1.  Enter in console:

-   qvm-*
-   qubes*

2.  Press 2x times TAB

Output: List of qvm-* or qubes* commands.

List installed Qubes OS packages

- _List all installed Qubes OS packages_

FEDORA DOM0

In VM or Dom0: rpm -qa \*qubes-\* - _list (qubes-) installed packages_

Files/Folders from and to Dom0

Move Dom0 -> VM

Qubes 3.1+

- _Windows + Linux_

dom0 console: qvm-move-to-vm <vm-name> <file> [<file+>] - _file can be a
single file or a folder_

---

qvm-move-to-vm work screenshot-qubes-gui.png - _moves
screenshot-qubes-gui.png to the personal VM into the
/home/user/QubesIncoming/dom0 folder_

qvm-move-to-vm personal *.png - _moves all .png to the personal VM into
the /home/user/QubesIncoming/dom0 folder_

qvm-move-to-vm work Pictures/ - _moves the Pictures folder and it’s
content to the personal VM into the /home/user/QubesIncoming/dom0
folder_

Copy Dom0 -> VM

Qubes 3.1+

- _Windows + Linux_

dom0 console: qvm-copy-to-vm <vm-name> <file> [<file+>] - _file_ can be
a single file or a folder

---

qvm-copy-to-vm personal screenshot-qubes-gui.png - _copies
screenshot-qubes-gui.png to the personal VM in the
/home/user/QubesIncoming/dom0 folder_

qvm-copy-to-vm personal *.png - _copies all .png to the personal VM in
the /home/user/QubesIncoming/dom0 folder_

qvm-copy-to-vm work Pictures/ - _copies the Pictures folder and it’s
content to the personal VM in the /home/user/QubesIncoming/dom0 folder_

Qubes < 3.1

- _Linux only_

    cat /path/to/file_in_dom0 |
     qvm-run --pass-io <dst_domain>
      'cat > /path/to/file_name_in_appvm'

---

    @dom0 Pictures]$ cat my-screenshot.png |
    qvm-run --pass-io personal
    'cat > /home/user/my-screenshot.png'

VM -> Dom0

    qvm-run --pass-io <src_domain>
     'cat /path/to/file_in_src_domain' >
      /path/to/file_name_in_dom0

Copy text between VM A and B

_On VM A (source):_

1.  CTRL+C
2.  CTRL+SHIFT+C

_On VM B (destination):_

3.  CTRL+SHIFT+V
4.  CTRL+V

Install Qubes Windows Tools (QWT)

1.  sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools -
    _install the windows tools (QWT)_
2.  qvm-start <windows-vmname> - _starts Windows VM_
3.  open a cmd.exe or PowerShell and type bcdedit /set testsigning on
4.  shutdown VM
5.  qvm-start <windows-vmname> --install-windows-tools - _starts Windows
    VM and inserts Qubes Windows Tools installation CD_
6.  double click on qubes-tools-WIN7x64-<version>.exe - _execute and
    install Qubes OS Windows Tools_
7.  restart Windows VM

Troubleshoot

Application in VM does not start

- _How to get more information if applications in a VM refuse to start_

qvm-run personal "command" --pass-io - _pass command directly to the VM.
Returns an error message command fails._

qvm-run personal "xterm" --pass-io - _pass xterm command directly to the
VM. Returns an error message or starts xterm._

---

qvm-run <vmname> "command" --pass-io --nogui - _pass command to VM
without using the GUI_

qvm-run personal "ls" --pass-io --nogui - _pass ls command directly to
the VM. Returns error or output._

Console in VM

- _Attach a console to a VM_

virsh -c xen:/// console <vmname> - _opens console in <vmname>_

---

_Why? Connect if GUI/qrexec does not work for any reason. This way you
can restart/investigate a failed service._

-   In Dom0 terminal: virsh -c xen:/// console personal

-   username: ROOT without a password

_(and when #1130 would be implmented the same for “user”)_

---

In console mode press CTRL + ^ + ] on keyboard to escape from console
mode.

AppVM Log files

- _Log files in AppVMs_

/var/log/qubes - _log file directory_

log files per DomU VM:

-   guid.<vmname>.log - _graphical information_
-   pacat.<vmname>.log - _sound information_
-   qrexec.<vmname>.log - _inter VM communication information_
-   qubesdb.<vmname>.log - _qubesdb information_

Get Qubes OS Version

- _Get the Qubes OS release version_

cat /etc/qubes-release - _prints Qubes release in human readable form_

rpm -qa \*qubes-release\* - _prints exact Qubes release number_

Get Xen Version

- _Display the Xen version_

xl info | grep xen_version - _prints the Xen version_

Qubes OS / Xen Boot

- _Qubes OS and Xen system/kernel messages_

dmesg - _prints error, warning and informational messages about device
drivers and the kernel during the boot process as well as when we
connect a hardware to the system on the fly._

xl dmesg - _prints error, warning and informational messages created
during Xen’s boot process_

_TIP: use dmesg and xl dmesg in combination with less, cat, tail or
head._

Grow disk

qvm-grow-private

- _Increase private storage capacity of a specified VM_

usage: qvm-grow-private <vm-name> <size>

EXAMPLE

-   In dom0 terminal: qvm-grow-private personal 40GB
-   In the personal VM: sudo resize2fs /dev/xvdb

Enlarge AppVMs TMPFS

Enlarge /tmp if you run out of space on the default ~200MB

sudo mount -o remount,size=1024M /tmp - _enlarge the space to 1024MB_

Inter VM Networking

_NOTE: Does not expose services to the outside world!_

Make sure:

-   Both VMs are connected to the same firewall VM
-   Qubes IP addresses are assigned to both VMs
-   Both VMs are started

In Firewall VM terminal:

    $ sudo iptables -I FORWARD 2 -s <IP address of A> -d <IP address of B> -j ACCEPT

-   The connection will be unidirectional A -> B
-   Optional: Bidirectional A <-> B

In Firewall VM terminal:

    $ sudo iptables -I FORWARD 2 -s <IP address of B> -d <IP address of A> -j ACCEPT

-   Check your settings (e. g. using ping)
-   Persist your settings:

    Assume:
      IP of A: 10.137.2.10
      IP of B: 10.137.2.11

In Firewall VM terminal:

    $ sudo bash
    # echo "iptables -I FORWARD 2 -s 10.137.2.10 -d 10.137.2.11 -j ACCEPT" >> /rw/config/qubes_firewall_user_script
    # chmod +x /rw/config/qubes_firewall_user_script

for bidirectional access:

    # echo "iptables -I FORWARD 2 -s 10.137.2.10 -d 10.137.2.11 -j ACCEPT" >> /rw/config/qubes_firewall_user_script

Add USB Wifi card to sys-net VM

- _Attach a USB Wifi card to sys-net VM_

The bus and device number can be different than shown in this example:

1.  qvm-pci -l sys-net - _list all attached pci devices of sys-net_
2.  lsusb - _e. g._ BUS 003 _Device 003: ID 148f:2870 Ralink
    Technology, Corp. RT2870 Wireless Adapter_
3.  readlink /sys/bus/usb/devices/003 - _Important Bus 003 -> 003_
4.  The result of readlink:
    ../../../devices/pci-0/pci0000:00/0000:00:12.2/usb3 - _Important
    00:12.2_
5.  qvm-pci -a sys-net 00:12.2 - _attach USB device 00:12.2 to sys-net_
6.  qvm-pci -l sys-ne - _check if device 00:12.2_ is

Templates

Fedora

- _Fedora template specific_

INSTALLING THE TEMPLATE

sudo qubes-dom0-update qubes-template-fedora-26 - _installs the Fedora
26 template_

sudo qubes-dom0-update qubes-template-fedora-25 - _installs the Fedora
25 template_

sudo qubes-dom0-update qubes-template-fedora-24 - _installs the Fedora
24 template_

sudo qubes-dom0-update qubes-template-fedora-23 - _installs the Fedora
23 template_

UPDATING, SEARCHING & INSTALLING PACKAGES

Fedora > 21

-   installing packages: dnf install <package-name>
-   search for a package: dnf search <package-or-word>
-   updating template: dnf update

Fedora <= 21

-   installing packages: yum install <package-name>
-   search for a package: yum search <package-or-word>
-   updating template: yum update

Fedora Minimal

- _Fedora minimal template_

Qubes OS:

sudo qubes-dom0-update qubes-template-fedora-26-minimal - _installs the
Fedora 26 minimal template_

sudo qubes-dom0-update qubes-template-fedora-25-minimal - _installs the
Fedora 25 minimal template_

sudo qubes-dom0-update qubes-template-fedora-24-minimal - _installs the
Fedora 24 minimal template_

sudo qubes-dom0-update qubes-template-fedora-23-minimal - _installs the
Fedora 23 minimal template_

Debian

- _Debian template_

INSTALLING THE TEMPLATE

-   sudo qubes-dom0-update qubes-template-debian-8 - _Debian 8 “Jessie”_

Qubes OS <= 3.1:

-   sudo qubes-dom0-update qubes-template-debian-7 - _Debian 7 “Wheezy”_

UPDATING, SEARCHING & INSTALLING PACKAGES

-   installing packages: apt-get install <package-name>
-   search for a package: apt-cache search <package-or-word>
-   updating template:
    1.  apt-get update
    2.  apt-get dist-upgrade

Qubes OS + Whonix

- _Whonix is an Debian based OS focused on anonymity, privacy and
security_

Whonix consists of two components:

1.  Whonix-Gateway (uses TOR for all connections to the outside world)
2.  Whonix-Workstation (for application)

INSTALL WHONIX

Whonix-Gateway TemplateVM Binary Install @Dom0:

sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw

Whonix-Workstation TemplateVM Binary Install @Dom0:

1.  export UPDATES_MAX_BYTES=$[ 4 * 1024 ** 3 ]
2.  sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-ws

NEXT STEPS

1.  Create a Whonix-gateway ProxyVM, through Qubes VM Manager
2.  Create a Whonix-workstation AppVM, through Qubes VM Manager
3.  Update your Whonix-Gateway and Whonix-Workstation TemplateVMs (how
    to -> see debian)
4.  (Re)Start Whonix-Gateway ProxyVM
5.  Start Whonix-Workstation AppVM

Archlinux

- _Archlinux template_

INSTALLING THE TEMPLATE

In Qubes OS 3.2:

sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-archlinux

or manually

Use the following instructions: Archlinux Template

UPDATING, SEARCHING & INSTALLING PACKAGES

-   installing packages:
    pacman -S <package-name> [<package-name-2>...<package-name-n>]
-   search for a package: pacman -Ss <package-or-word>
-   updating template: pacman -Syyu

Removing Templates

- _Which were installed using the package manager_

_REMOVE INSTALLED TEMPLATE_

@Dom0: sudo dnf remove [<template-package-name>]

---

sudo dnf remove qubes-template-debian-8 - _remove the Debian 8 VM and
qubes-template-debian-8 package_

_LIST ALL INSTALLED TEMPLATES_

@Dom0: sudo dnf list installed qubes-template-*

Create VM from VMware or VirtualBox images

1.  Download the image in an AppVM
2.  Install qemu-img tools - _e. g. dnf install qemu-img for fedora_
3.  Convert the image to a raw format:
    -   VMware: qemu-img convert ReactOS.vmdk -O raw reactos.img
    -   VirtualBox: qemu-img convert ReactOS.vdi -O raw reactos.img

Qubes OS Directories

Dom0 (Qubes OS)

- _Qubes OS specific directories_

-   /var/log/qubes - _Qubes OS VM log files_
-   /var/lib/qubes - _Qubes OS VMs and other Qubes OS specific files_

Qubes OS Repositories

-   http://yum.qubes-os.org - _Browsable Fedora repositories_