Go back to topic: Audio qube
downloaded local copies of imagesv2 anchor; v2 full version
| ### Patch the source code | HELP WANTED In the audio template, you need to patch the source code. Modify the file "/usr/lib/python3.12/site-packages/qubesadmin/tools/qvm_start_daemon.py" Change the line ``` events = qubesadmin.events.EventsDispatcher(args.app) ``` to ``` events = qubesadmin.events.EventsDispatcher(args.app, enable_cache=False) ``` **HELP WANTED** This should not be necessary, either there is an issue in this guide, or there is a kind of issue in how the caching mecanisme work for Qubes OS. If you have technical skills and time, this point need to be fixed properly. | |
| admin.Events * sys-audio @ | admin.Events * sys-audio @adminvm allow target=dom0 # TODO: check if more / less are required admin.Events +property-set_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.Events +property-pre-set_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.Events +property-pre-reset_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.Events +property-reset_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.Events +property-reset_xid sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.Events +domain-stopped sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.Events +domain-shutdown sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.Events +domain-start sys-audio @tag:audiovm-sys-audio allow target=dom0 |
| admin.vm.CurrentState * | admin.vm.CurrentState * sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.List * sys-audio @tag:audiovm-sys-audio allow target=dom0 |
| admin.vm.property.Get + | admin.vm.property.Get +audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.property.Get +xid sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.feature.CheckWithTemplate +audio sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.feature.CheckWithTemplate +audio-model sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.feature.CheckWithTemplate +supported-service.pipewire sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.feature.CheckWithTemplate +audio-low-latency sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.property.Get +stubdom_xid sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.property.GetAll * sys-audio @tag:audiovm-sys-audio deny notify=no |
| - | - Audio quality in some cases (at least jack seems to be problematic) |
| #### Optional step: Noise suppression In "audio-app" you can configure noise suppression: https://github.com/werman/noise-suppression-for-voice#pipewire Audio recording is **much** better, at the cost of a bit of cpu consumption |
| ### | ### Patch the source code | HELP WANTED In the audio template, you need to patch the source code. Modify the file "/usr/lib/python3.12/site-packages/qubesadmin/tools/qvm_start_daemon.py" Change the line ``` events = qubesadmin.events.EventsDispatcher(args.app) ``` to ``` events = qubesadmin.events.EventsDispatcher(args.app, enable_cache=False) ``` **HELP WANTED** This should not be necessary, either there is an issue in this guide, or there is a kind of issue in how the caching mecanisme work for Qubes OS. If you have technical skills and time, this point need to be fixed properly. ### Configuring policy |
| admin.vm.property.GetAll * sys-audio @tag:audiovm-sys-audio deny notify=no | # Once the caching issue mentionned in the "Patch the source code | HELP WANTED", the line below could be reactivated #admin.vm.property.GetAll * sys-audio @tag:audiovm-sys-audio deny notify=no |
| admin.vm.CurrentState * sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.List * sys-audio @tag:audiovm-sys-audio allow target=dom0 | |
| [/details] | [/details] ## Known issues. HELP WANTED - Keyboard layout switching issue - Autoreconnect to audio vm when audio vm is restarted |
| ```
| ``` |
| #### Bluetooth service Additionally, if you intend to use bluetooth services, you probably want to also enable "blueman" service |
| # Salt A community effort to have this configuration done by a salt script is available here: [qusal/salt/sys-audio at main · ben-grande/qusal · GitHub](https://github.com/ben-grande/qusal/tree/main/salt/sys-audio) |
| Optional package, software to configure sound effect, like noise cancellation: ``` sudo dnf install easyeffects ``` |
| sudo dnf install -y | sudo dnf install -y blueman ``` [details="Note for `debian-12-minimal` templates"] Debian Minimal requires the `libspa-0.2-bluetooth` for bluetooth to work with Pipewire. [/details] |
| #### Important note: Most user will never encounter such a case, but for people that have a LOT of qubes running, it is important to properly configure the audiovm property, it need to be empty for qubes that will never use audio There is a maximum of ~19 qubes that can be running simultaneously without using audio (but with a audiovm configured). After that number, when a new qube is created, sys-audio will stop working. (xenstore quota issue, https://github.com/QubesOS/qubes-issues/issues/8966 ) | |
| ## Special cases of non-linux HVM. | ## Special cases of non-linux HVM. Support have been added by the QubesOS team, so no additional configuration is needed. I haven't yet personnally tested it. If it doesn't work, the old way of doing that is below [details="Old way of doing that"] |
| Redo the same things but for the file "stubdom-linux-full-rootfs" | Redo the same things but for the file "stubdom-linux-full-rootfs" [/details] |
| the vchan modules.
| the vchan modules. |
| following content:
| following content: |
| admin.Events * sys-audio @adminvm allow target=dom0 | admin.Events * sys-audio @adminvm allow target=dom0 |
| admin.vm. | admin.vm.List * sys-audio @adminvm allow target=dom0 |
| admin.vm.feature.CheckWithTemplate +supported-service. | admin.vm.feature.CheckWithTemplate +supported-service.pipewire sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.feature.CheckWithTemplate +audio-low-latency sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.property.Get +stubdom_xid sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.property.GetAll * sys-audio @tag:audiovm-sys-audio deny notify=no |
| **TODO**: this list of privileges may not be minimal + some new events may be missed (property-set / property-reset ) |
| You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/compare/main...neowutran:qubes-core-admin-client:fix-8109-and- | You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/compare/main...neowutran:qubes-core-admin-client:fix-8109-and-further3 |
| You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/compare/main...neowutran:qubes-core-admin-client:fix-8109-and- | You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/compare/main...neowutran:qubes-core-admin-client:fix-8109-and-further2 |
| the vchan modules. | the vchan modules. [details="Obsolete"] |
| ``` | ``` [/details] |
| For example "sys-net" "sys-firewall" and others qubes that will never need audio.
| For example "sys-net" "sys-firewall" and others qubes that will never need audio. #### Case 1: Most of your qubes need to have audio By default, configure all qubes to use 'sys-audio' as the audiovm |
| qubes-prefs default_audiovm sys-audio ``` Then remove the audiovm from the qubes that doesn't need audio ``` | |
| #### Case 2: Most of your qubes doesn't need to have audio By default, configure all qubes to use nothing as the audiovm ``` qubes-prefs default_audiovm '' ``` Then add the audiovm for the qubes that need audio ``` qvm-prefs sys-net audiovm 'sys-audio' ... ``` |
|  |
| ### Disabling audio for qubes that doesn't need it You should disable the audiovm for qubes that doesn't need it. For example "sys-net" "sys-firewall" and others qubes that will never need audio. In dom0: ``` qvm-prefs sys-net audiovm '' ... ``` |
| To manually patch the file, modify the file "/usr/lib/python3. | To manually patch the file, modify the file "/usr/lib/python3.12/site-packages/qubesadmin/tools/qvm_start_daemon.py" in your "audio-template" qube |
| ## Known issues [help could be usefull] If you are using pipewire you could have bad microphone recording with some CPU (https://github.com/QubesOS/qubes-issues/issues/8770#issuecomment-1871055606) Very rarely (happened to me once every few months), the audiovm daemon seems to freeze, restarting the process or qube fix the issue. Couldn't reproduce the issue at will to debug it |
| Note: You could permanently assign a usb device to a qube using the dom0 command `qvm- | Note: You could permanently assign a usb device to a qube using the dom0 command `qvm-device`. Example : ` qvm-device usb attach --persistent sys-audio sys-usb-1:2-6` |
| ### Microphone note: You have to attach the device named "dom0:mic" to the qube you want to be able to record your microphone input |
| If you want to have a systray to control the sound, you can install this package ``` sudo dnf install -y pasystray ``` |
| ### Audio is | ### Audio is scratchy [Need someone to comment if this is still usefull] |
| ## Known issues [help could be usefull] If you are using pipewire you could have bad microphone recording with some CPU (https://github.com/QubesOS/qubes-issues/issues/8770#issuecomment-1871055606) Very rarely (happened to me once every few months), the audiovm daemon seems to freeze, restarting the process or qube fix the issue. Couldn't reproduce the issue at will to debug it |
| <emulator | |
| In the rest of the file, you will find two | In the rest of the file, you will find two occurrences of lines starting by "cmdline=", append the following content to these two lines (before the closing double-quote) |
| [details=" | [details="NON RECOMMENDED WAY - Giving much more permission than theorically needed (I am not personnaly using it, so it is less maintained than the other way)"] |
| admin.vm.property.Get +stubdom_xid sys-audio @tag:audiovm-sys-audio allow target=dom0 |
| You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/compare/main...neowutran:qubes-core-admin-client:fix-8109-and-further | You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/compare/main...neowutran:qubes-core-admin-client:fix-8109-and-further To manually patch the file, modify the file "/usr/lib/python3.11/site-packages/qubesadmin/tools/qvm_start_daemon.py" in your "audio-template" qube |
| devices](/doc/device-handling-security/#usb-security) and Bluetooth devices. | devices](https://qubes-os.org/doc/device-handling-security/#usb-security) and Bluetooth devices. |
| devices](/doc/device-handling-security/#security-warning-on-usb-input-devices) devices before proceeding. | devices](https://qubes-os.org//doc/device-handling-security/#security-warning-on-usb-input-devices) devices before proceeding. |
| 1. Create a template named ‘audio-template’ – You can clone ‘fedora-XX’ template for that – | 1. Create a template named ‘audio-template’ – You can clone ‘fedora-XX’ template (or a fedora minimal template) for that – |
| admin.vm.feature.CheckWithTemplate +supported-service.pipewire sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.feature.CheckWithTemplate +audio-low-latency sys-audio @tag:audiovm-sys-audio allow target=dom0 | |
| admin.vm.feature.CheckWithTemplate +supported-service.pipewire sys-audio @tag:audiovm-sys-audio allow target=dom0 admin.vm.feature.CheckWithTemplate +audio-low-latency sys-audio @tag:audiovm-sys-audio allow target=dom0 |
| In any qube, to start pulseaudio with the ‘vchan – *’ modules, run: | For pulseaudio setup: In any qube, to start pulseaudio with the ‘vchan – *’ modules, run: |
| For pipewire setup: In any qube, to start pipewire with the ‘vchan – *’ modules, run: ``` systemctl --user restart pipewire ``` | |
| This issue is that the vchan modules of the | This issue is that the vchan modules of the pulseaudio/pipewire daemon running in the already started qubes are not using the correct audiovm xid (ID of the xen vm). **If you are using pulseaudio**: In standard setup, restarting the pulseaudio daemon is enough. Kill the pulseaudio process and run "start-pulseaudio-with-vchan". **If you are using pipewire (pipewire will be the default soon if not already the case)**: ```systemctl --user restart pipewire``` |
| sudo dnf install -y | sudo dnf install -y pipewire-qubes qubes-audio-daemon pavucontrol qubes-core-admin-client qubes-usb-proxy alsa-utils |
| Note: You could need to first remove the package ‘pipewire-pulseaudio’ before installing the other packages. | |
| sudo dnf install -y blueman | sudo dnf install -y blueman cairo-dock |
| **WIP** |
| [details="Important note"] A lot of thoses modifications can be overwritten by update, like xen.xml, stubdom-linux-rootfs, and qvm_start_daemon. You could need to re-patch them after updates [/details] |
| In the screenshot below, I passed my | In the screenshot below, I passed my audio jack device to |
|  Note: You could permanently assign a usb device to a qube using the dom0 command `qvm-devices`. Example : ` qvm-devices usb attach --persistent sys-audio sys-usb-1:2-6` |
| You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/ | You additionally need to apply this patch: https://github.com/QubesOS/qubes-core-admin-client/compare/main...neowutran:qubes-core-admin-client:fix-8109-and-further |
|   | |
|   | |
|  | |
|   | |
|  | |
|  |
| [details="Result of `qvm-prefs audio-app`"] ``` audiovm D sys-audio autostart D False backup_timestamp - 1689304025 debug D False default_dispvm D fedora-dvm default_user D user dns D gateway D gateway6 D guivm D dom0 icon D templatevm-gray include_in_backups D True installed_by_rpm D False ip D ip6 D kernel D 6.4.8-1.fc37 kernelopts D swiotlb=2048 keyboard_layout D fr+oss+ klass D AppVM label - gray mac D 00:16:3e:5e:6c:00 management_dispvm D default-mgmt-dvm maxmem D 4000 memory D 400 name - audio-app netvm - None provides_network - False qid - 50 qrexec_timeout D 60 shutdown_timeout D 60 start_time D stubdom_mem U stubdom_xid D -1 template - audio-template template_for_dispvms - True updateable D False uuid - 62ad295e-cfdc-4cbd-a5a7-09284dff87d9 vcpus D 2 virt_mode D pvh visible_gateway D visible_gateway6 D visible_ip D visible_ip6 D visible_netmask D xid D -1 ``` [/details] [details="Result of `qvm-prefs audio-template`"] ``` audiovm D sys-audio autostart D False backup_timestamp - 1689304024 debug D False default_dispvm D fedora-dvm default_user D user dns D gateway D gateway6 D guivm D dom0 icon D templatevm-black include_in_backups D True installed_by_rpm D False ip D ip6 D kernel D 6.4.8-1.fc37 kernelopts D swiotlb=2048 keyboard_layout D fr+oss+ klass D TemplateVM label - black mac D 00:16:3e:5e:6c:00 management_dispvm D default-mgmt-dvm maxmem D 4000 memory D 400 name - audio-template netvm D None provides_network D False qid - 49 qrexec_timeout D 60 shutdown_timeout D 60 start_time D stubdom_mem U stubdom_xid D -1 updateable D True uuid - 43dfeca9-41b6-4b85-b462-2c566cc5da1f vcpus D 2 virt_mode D pvh visible_gateway D visible_gateway6 D visible_ip D visible_ip6 D visible_netmask D xid D -1 ``` [/details] [details="Result of `qvm-prefs sys-audio`"] ``` audiovm D sys-audio auto_cleanup D False autostart - True backup_timestamp - 1689304025 debug D False default_dispvm D audio-app default_user D user dispid - 2229 dns D gateway D gateway6 D guivm D dom0 icon D dispvm-gray include_in_backups D True installed_by_rpm D False ip D ip6 D kernel D 6.4.8-1.fc37 kernelopts D keyboard_layout D fr+oss+ klass D DispVM label - gray mac D 00:16:3e:5e:6c:00 management_dispvm D default-mgmt-dvm maxmem - 0 memory D 400 name - sys-audio netvm - None provides_network - False qid - 51 qrexec_timeout D 60 shutdown_timeout D 60 start_time D 1693413928.06 stubdom_mem U stubdom_xid D 2 template - audio-app updateable D False uuid - 9422a856-7b81-464d-9fd5-987ef2cf99f7 vcpus D 2 virt_mode - hvm visible_gateway D visible_gateway6 D visible_ip D visible_ip6 D visible_netmask D xid D 1 ``` [/details] |
| When you configure a Bluetooth device, the configuration files are stored as root in `/var/lib/bluetooth`. If you want the device to be permanently known by the audiovm (even after reboot), you need to either copy this folder to the template qube, or have any other means of deploying back the configuration that have been saved to `/var/lib/bluetooth` |
| ``` | |
| ``` |
| [](/attachment/doc/audiovm-manager.png) [](/attachment/doc/audiovm-sysaudio-1.png) |
| [](/attachment/doc/audiovm-sysaudio-2.png) [](/attachment/doc/audiovm-sysaudio-3.png) |
| [](/attachment/doc/audiovm-pavu-1.png) [](/attachment/doc/audiovm-pavu-2.png) |
| [](/attachment/doc/audiovm-sysaudio-4.png) |
| [](/attachment/doc/audiovm-pavu-3.png) |