Qubes

I’ve worked with Qubes for about two years now. I’ve got a few tips and tricks after some time using it.

  • Don’t watch videos in browsers

It’s probably better to watch them on a spare phone, or download and watch in a dedicated application, like VLC. Firefox has terrible YouTube performance, and Chromium isn’t much better. No GPU acceleration in Qubes, so your software renderer has to be close to bare-metal with nice buffers to get any good performance. VLC and other native players are used to dealing with constrained software renderers, they’ve been around since Windows XP, probably earlier.

  • BIOS/UEFI boot can require fiddling

My motherboard doesn’t detect Qubes' default UEFI firmware files. /boot/efi/EFI/BOOT/BOOTX64.cfg was the only location for files that was accepted, probably matching a Windows boot path.

  • Growing VM disks, easy. Shrinking VM disks, harder than it should be.

You’ve got to boot into emergency/single user mode, check and resize the disk, shutdown, resize the lvm mountpoint, boot normally. I use this to reclaim disk space for the pool when a VM has lost some weight.

Shrinking a Qubes disk to 100G (Note that ‘nopat’ matched my qvm-prefs –default kernelopts)

  • qvm-prefs -s VM qrexec_timeout 999999
  • qvm-prefs -s VM kernelops nopat single
  • qvm-start VM&
  • sudo xl console VM
  • Enter recovery shell
  • fsck.ext4 /dev/xvdb
  • resize2fs /dev/xvdb 100G
  • shutdown -h now
  • Exit recovery shell (should happen after power off)
  • sudo lvresize -L100.1G /dev/qubes_dom0/vm-VM-private
  • qvm-prefs –default VM qrexec_timeout
  • qvm-prefs –default VM kernelopts
  • qvm-start VM&
  • Done

I have some mild paranoia that I need a few extra bytes, like I’ll have some misalignment, so I keep the disk a hundred MB bigger than it needs to be. Probably safe to use 100G in lvresize.

Unfortunately, I can’t recommend it as an OS in the long term. Why’s that?

  1. It’s falling out of date and has few active maintainers. The usual risks around unmaintained software are growing while performance is dropping.
  2. It has a steep learning curve - not only are you running a hypervisor, but you’re running one with a custom userspace layer. Expect to find a lot of rough edges.
  3. It’s not fun to use. The security domain is rigid, which means you’ll be annoyed by performance issues and browser race conditions, even with a recent high end machine.

With a base operating system 4 versions behind current, even new installs are behind the latest fixes. The Firefox version bundled is practically archiac.

However, if you’re looking for excellent separation of concerns and identities, I’m hard pressed to find a more compelling alternative to Qubes. It’s strengths are in it’s security domain and not in it’s usability.