Debian based UpdateVM does not support --action=list or reinstall

[awokd]

Qubes OS version:

Affected TemplateVMs:

debian-9, whonix-gw

---

Steps to reproduce the behavior:

Set UpdateVM to a debian-9 based sys-firewall or standard sys-whonix
sudo qubes-dom0-update --action=list kernel-qubes-vm (or --action=reinstall, etc.)

Expected behavior:

packages will be listed or reinstalled

Actual behavior:

ERROR: yum version installed in VM host does not suppport --downloadonly option
ERROR: only 'install' and 'upgrade' actions supported (list not)

General notes:

Ideally these additional --action commands would work with a Debian based UpdateVM, but if it's a WONTFIX there should be a documented work-around available. --action=reinstall is easy enough to document (dnf remove, then install the package) but how does one --action=list available packages in the qubes-dom0-unstable repository for example?

---

Related issues:

#1029
#3495

[andrewdavidwong]

You left the "Qubes OS version" field empty, but I'm guessing you meant 4.0.

[awokd]

@andrewdavidwong No, it applies to both 3.2 & 4.0 using a Debian based UpdateVM.

[awokd]

Probably older versions too, since #1029 was released. Should I have written "all"?

[andrewdavidwong]

Probably older versions too, since #1029 was released. Should I have written "all"?

Yeah, or "3.2 and 4.0," or "3.2 and 4.0 confirmed, but probably all," depending on your temperament with respect to verbosity and speculation. 🙂

(However, since versions prior to 3.2 are no longer supported, it doesn't matter whether they're affected for the purposes of this issue tracker.)

Since an issue can have only one milestone, I'll change this one to 3.2

[awokd]

ERROR: yum version installed in VM host does not suppport --downloadonly option
ERROR: only 'install' and 'upgrade' actions supported (list not)

If I copy in qubes-dom0.repo to my debian-9 template (and disable all repos in there and replace r$releasever with r3.2), yum lets me list available packages. Like the error message says though, --downloadonly is not supported. sys-whonix can't resolve yum.qubes-os.org probably for security reasons, but there must be a way to accomplish the same thing in there because it can download updates for dom0.

user@debian-9:~$ yum --enablerepo=qubes-dom0-current list kernel-qubes-vm
qubes-dom0-current                                                                     | 3.6 kB  00:00:00
qubes-dom0-current/primary_db                                                          | 890 kB  00:00:01
Available Packages
kernel-qubes-vm.x86_64                      1000:4.9.56-21.pvops.qubes                      qubes-dom0-current
user@debian-9:~$ yum --enablerepo=qubes-dom0-current-testing list kernel-qubes-vm
qubes-dom0-current-testing                                                             | 3.6 kB  00:00:00
qubes-dom0-current-testing/primary_db                                                  | 1.6 MB  00:00:02   
Available Packages
kernel-qubes-vm.x86_64                  1000:4.14.18-1.pvops.qubes                  qubes-dom0-current-testing
user@debian-9:~$

[awokd]

Looks like the error is coming from qubes-download-dom0-updates.sh. Need to try modifying it to permit --action=list on a debian-9 template. sys-whonix needs a UWT wrapper defined, if I'm reading the error right.

[marmarek]

See /usr/lib/qubes/qubes-download-dom0-updates.sh
For list, you don't really need --downloadonly, because you don't download any package. Try something like this: marmarek/qubes-core-agent-linux@e60194b

[awokd]

That's the file I was looking at too. Wasn't seeing anything that would prevent a list! Thanks, will try it out and see if I can figure out how to make sys-whonix work with it too. Think it needs a wrapper defined for yum.

[adrelanos]

awokd:

sys-whonix needs a UWT wrapper defined, if I'm reading the error right.

Sure? There is a uwt wrapper for yum and yumdownloader. https://github.com/Whonix/uwt/blob/master/usr/bin/yum.anondist https://github.com/Whonix/uwt/blob/master/usr/bin/yumdownloader.anondist These are the programs run by qubes-download-dom0-updates.sh. It makes more sense to uwt wrap (since there are no socks settings available which would be better) the actual network using programs by the qubes-download-dom0-updates.sh scripts than the qubes-download-dom0-updates.sh script itself. There is no 'dnf' in Debian. Let me know ASP please if something is missing in Whonix so it can make its way into Whonix 14 in time.

[awokd]

Thanks, @adrelanos . Found those wrappers where you said they'd be.
I got @marmarek 's script running on a standard debian-9 template and it works there. It's not super clean output (like it always lists my currently installed packages) but it does also list packages available in the repo specified. Copied it over to sys-whonix, but when I tried the same '--action=list' there with sys-whonix as my updatevm, I got:

mktemp: failed to create file via template '/tmp/uwt_root/tmp.XXXXXXXXXX': Permission denied
chmod: cannot access '': No such file or directory
/usr/bin/uwt: line 259: : No such file or directory
uwt: Missing torsocks configuration file "\.

But I think I may have figured out a work-around at least, I removed fakeroot from this section of Marmarek's code:

+    elif [ "$YUM_ACTION" == "list" ] || [ "$YUM_ACTION" == "search" ]; then
+        # those actions do not download any package, so lack of --downloadonly is irrelevant
+        YUM_COMMAND="fakeroot $YUM $YUM_ACTION -y"

and now it lists packages for the specified repo!
Maybe fakeroot throws off the UWT wrapper?

[awokd]

And this is just something where it would be nice to have feature parity with the Fedora template. If it doesn't make the cut for Whonix 14 it's not a big deal for me at least. Can patch it in later!

[awokd]

In the (Debian) portion of the qubes-download-dom0-updates.sh script, list/search are the only options that use yum instead of yumdownloader. Maybe removing fakeroot there is all that needs to be done since yum can apparently list and search without being sudo.

[adrelanos]

Whonix 14 doesn't use /usr/bin/uwt anymore since it is no longer required. The mktemp workaround is no longer required. (This is because torsocks was improved.)

We are using /etc/tor/torsocks.conf.

# Set Torsocks to use an automatically generated SOCKS5 username/password based
# on the process ID and current time, that makes the connections to Tor use a
# different circuit from other existing streams in Tor on a per-process basis.
# If set, the SOCKS5Username and SOCKS5Password options must not be set.
# (Default: 0)
IsolatePID 1

Since it doesn't use mktemp anymore, you won't have the issue described in #3553 (comment).

I've removed fakeroot from /usr/lib/qubes/qubes-download-dom0-updates.sh as per your instructions and commented out the exit 1 of the does not suppport --downloadonly check.

It's downloading. Dunno yet if it will actually reinstall the template but at least for sure we don't have any uwt / connectivity issues.

[awokd]

Doc link for tracking: QubesOS/qubes-doc#584

[qubesos-bot]

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.24-1+deb10u1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing buster-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.24-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.24-1.fc26) has been pushed to the r4.0 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.24-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.24-1+deb10u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-agent_4.0.24-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update