4.1 in dom0, 4.2 in sys-firewall

DVM · January 16, 2024, 8:25pm

Can you try this command in sys-net and see if you get anything? I want to make sure it’s not just ping that’s not working.

curl -IL 1.1.1.1

cordial · January 16, 2024, 8:27pm

[user@sys-net ~]$ curl -IL https://qubes-os.org
HTTP/2 301
date: Tue, 16 Jan 2024 20:26:52 GMT
location: https://www.qubes-os.org/
cache-control: max-age=3600
expires: Tue, 16 Jan 2024 21:26:52 GMT
report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=2wYOL6BCnInuEc%2B8d2SSZxJBup%2FO54y%2B7tnZbY3dK7JlsyuhzsWfkCsMyt4h0zDW%2FfEeEJebYQqdSGtxenVOBOQuoqqx%2FOdF0Kl2Hs%2B%2B%2BRRDKrZpzjPsE4OFJx1bq4g%3D”}],“group”:“cf-nel”,“max_age”:604800}
nel: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
cf-ray: 8469188f686618cc-EWR
alt-svc: h3=“:443”; ma=86400

HTTP/2 200
server: GitHub.com
content-type: text/html; charset=utf-8
last-modified: Mon, 15 Jan 2024 18:43:50 GMT
access-control-allow-origin: *
etag: “65a57ce6-77c0”
expires: Tue, 16 Jan 2024 13:42:11 GMT
cache-control: max-age=600
x-proxy-cache: MISS
x-github-request-id: 2638:5734:BEA43B:FE5585:65A6855B
accept-ranges: bytes
date: Tue, 16 Jan 2024 20:26:52 GMT
via: 1.1 varnish
age: 0
x-served-by: cache-ewr18130-EWR
x-cache: HIT
x-cache-hits: 1
x-timer: S1705436813.950127,VS0,VE14
vary: Accept-Encoding
x-fastly-request-id: d7e663ba900cbbec5f8a187ecf040d1b79ac7ce5
content-length: 30656

cordial · January 16, 2024, 8:29pm

[user@sys-net ~]$ curl -IL 1.1.1.1
HTTP/1.1 301 Moved Permanently
Server: cloudflare
Date: Tue, 16 Jan 2024 20:28:28 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://1.1.1.1/
CF-RAY: 84691ae82ccc6a52-EWR

HTTP/2 200
date: Tue, 16 Jan 2024 20:28:28 GMT
content-type: text/html
report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=CdS8ebaLEUzhGbNcfdRemcHjKxvaOMhH6%2B1GFwJcbmErG2V%2BXpvNoe0ln0TtyL%2F9OR81L7Gin1A30pE6wZ%2BQT9rz3PxB%2F3MaDMbUS60xvoIBd6DuT3ML7TA%3D”}],“group”:“cf-nel”,“max_age”:604800}
nel: {“report_to”:“cf-nel”,“max_age”:604800}
last-modified: Fri, 21 Jul 2023 21:11:33 GMT
strict-transport-security: max-age=31536000
served-in-seconds: 0.002
cache-control: public, max-age=14400
cf-cache-status: HIT
age: 483
expires: Wed, 17 Jan 2024 00:28:28 GMT
set-cookie: __cf_bm=imb6.Wtc.SX_Z6HvmvExvtKhzgcwyF1awOkkE_pnpl4-1705436908-1-AW0TlzAfshcDv0orNRwy7/Da3Y7cqppO4c0/GzwNft6bZMZHjAkuqBOg6uei2CZtXF+2wHGtfbiQvxCtgXlFALc=; path=/; expires=Tue, 16-Jan-24 20:58:28 GMT; domain=.every1dns.com; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 84691ae89ff442e6-EWR
alt-svc: h3=“:443”; ma=86400

DVM · January 16, 2024, 8:29pm

Okay, so your network is working. Are you really unable to ping anything from sys-net?

cordial · January 16, 2024, 8:31pm

[user@sys-net ~]$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=2.71 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.987 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=2.53 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=1.30 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=1.19 ms
64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=1.35 ms
64 bytes from 192.168.1.1: icmp_seq=7 ttl=64 time=1.14 ms
64 bytes from 192.168.1.1: icmp_seq=8 ttl=64 time=2.54 ms
64 bytes from 192.168.1.1: icmp_seq=9 ttl=64 time=1.16 ms
64 bytes from 192.168.1.1: icmp_seq=10 ttl=64 time=2.94 ms

DVM · January 16, 2024, 8:33pm

I was talking about external IPs and domains like 1.1.1.1 and qubes-os.org for example.

cordial · January 16, 2024, 8:36pm

[user@sys-net ~]$ ping qubes-os.org
PING qubes-os.org (172.67.208.186) 56(84) bytes of data.
and
[user@sys-net ~]$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
and
[user@sys-net ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

all just hang with the blinking cursor

DVM · January 16, 2024, 8:38pm

Maybe you are not allowed to use ping on your external network. Can you run the same curl command, but this time in sys-firewall, to see if you can reach the Internet?

cordial · January 16, 2024, 8:41pm

[user@sys-firewall ~]$ curl -IL 1.1.1.1
HTTP/1.1 301 Moved Permanently
Server: cloudflare
Date: Tue, 16 Jan 2024 20:40:37 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://1.1.1.1/
CF-RAY: 84692cb12a5d0f45-EWR

HTTP/2 200
date: Tue, 16 Jan 2024 20:40:37 GMT
content-type: text/html
report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=UxXhGTocMR9Crl9ycy8bv49KxgDGc1Gl0KvtKUbSPIkojNaBRD19hi2WpKJMj%2BLqdnQmfFwlmy38phIjhQK8zTnmkXv2WdrUV34C0Riht%2FinZq%2B%2FRFxlM18%3D”}],“group”:“cf-nel”,“max_age”:604800}
nel: {“report_to”:“cf-nel”,“max_age”:604800}
last-modified: Fri, 21 Jul 2023 21:11:33 GMT
strict-transport-security: max-age=31536000
served-in-seconds: 0.002
cache-control: public, max-age=14400
cf-cache-status: HIT
age: 414
expires: Wed, 17 Jan 2024 00:40:37 GMT
set-cookie: __cf_bm=Fstg7u2MfAtyeE3IAxTDhtvA.9NwM.7lY9NouXFSJcc-1705437637-1-ARyN55RimGPN5DB61msWfErObSOmqbJ+tjvdLTW6ijDycRlSjCurzwqhNies0PLwjEvHe+XBq6fJan4Ar7WELM0=; path=/; expires=Tue, 16-Jan-24 21:10:37 GMT; domain=.every1dns.com; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 84692cb1b9350f99-EWR
alt-svc: h3=“:443”; ma=86400

DVM · January 16, 2024, 8:44pm

Well, it means that you should be able to download and upgrade dom0.

Do you get the same problem when you run this command again from dom0?

sudo qubes-dist-upgrade --release-upgrade --dist-upgrade

cordial · January 16, 2024, 8:54pm

Errors during downloading metadata for repository ‘qubes-dom0-cached’: - Curl error (37): Couldn’t read a file:// file for file:///var/lib/qubes/updates/repodata/repomd.xml [Couldn’t open file /var/lib/qubes/updates/repodta/repomd.xml]
…All mirrors were tried

DVM · January 16, 2024, 9:02pm

Try this command in dom0 to disable the problematic repo and run the upgrade script again using the same command as before.

sudo dnf config-manager --set-disabled qubes-dom0-cached

cordial · January 16, 2024, 9:08pm

did new command and upgrade failed again with the same firewall error listed above
is reboot needed after ```
sudo dnf config-manager --set-disabled qubes-dom0-cached

DVM · January 16, 2024, 9:12pm

Try switching to sys-net instead. Add the qubes-updates-proxy service and restart sys-net:

qvm-service sys-net qubes-updates-proxy -e

After sys-net is restarted, use this command:

sudo qubes-dist-upgrade --release-upgrade --dist-upgrade --updatevm sys-net

cordial · January 16, 2024, 9:14pm

[user@sys-net ~]$ qvm-service sys-net qubes-updates-proxy -e
bash: qvm-service: command not found…

DVM · January 16, 2024, 9:15pm

Run the commands in dom0, don’t forget to restart sys-net after adding the service.

cordial · January 16, 2024, 9:20pm

Ran the command in dom0, restarted sys-net, gave the upgrade command - and it stopped at the same place again

The last line if dom0 is : 'Error: There are no enabled repositories in “/evc/yum.real.repos.d”/

DVM · January 16, 2024, 9:22pm

What error are you getting?

DVM · January 16, 2024, 9:25pm

It seems to need the cached repo.
Enable it again and try to clean everything up before running the upgrade script again:

sudo dnf config-manager --set-enabled qubes-dom0-cached
sudo dnf clean all

cordial · January 16, 2024, 9:26pm

The last line in the pop up sys-firewall terminal is " Press Enter to exit’ which then gives The last line if dom0 " : 'Error: There are no enabled repositories in “/evc/yum.real.repos.d”/ "