I’m trying to add a private yum repo to dom0. In one of my previous posts, I configured a new appvm to work as my updates vm so I can do my updates over a wireguard connection. I got that all functioning properly for dom0 and template vms, but after attempting to add a repo that points to a custom yum repository, I’m getting errors that look perhaps it has something to do with the trust of a repo?
I see this on dom0:
^C*** ERROR while receiving updates:
Error canonicalizing /var/tmp/qubes-updates-tmpeparz_h0.UNTRUSTED/openssh-8.7p1-1.el8.x86_64.rpm
and on the console of my wireguard updates vm:
‘/usr/lib/qubes/qrexec-client-vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent /var/lib/qubes/dom0-updates/packages/*.rpm’ failed with exit code 1!
Not sure how to debug what qrexec isn’t happy with. If I run this command manually, it just returns with a 1 exit status but no output.
The repo I added is not GPG signed. It’s just a regular yum repo. Template VMs have no issue.
Even if it’s a bad idea to add a repo to dom0, I’d like to understand why this isn’t working to deepen my knowledge of Qubes. I’ll probably not include this repo in dom0 in the end, but it would be nice to understand what’s failing here. If I remove my custom repo, things are happy again.
Not an answer to the question, but may be useful nonetheless
@xxedgexx When I created my own repository of RPM packages, I automated some of the signing work with reuse in mind. If you are somewhat familiar with GitHub and can read a relatively simpke Makefile, you can use that code to create a signed repository of RPM packages.
The description in GitHub contains a link to my own package repository if you want to see it in action, and the README.md file includes usage instructions.
You are likely aware of the main advantage of a signed repository, which is to know exactly what gets installed in your dom0, but note that it also means that you don’t need to trust the service where you host the packages since their content will be verified before use. That means you can maintain a public repo for free, like I do.
Last note: I use split-GPG, but you can replace the value of GPG_CMD if you don’t
I also want to create a custom yum repo for dom0 packages.
I would like to build from a bunch of .spec files, a bunch .src.rpm and .rpm files. The problem is that some packages have build dependencies that are other packages that needs to be built first. I have not found any straightforward way to automatize the build process. I have looked for tutorials and all I have founds are ones that teach how to build a single package.
You dont say how those other packages are organised, or where they are
stored.
You likely already have yum-builddep, as part of dnf-utils.
There’s a nice summary of build tools here
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.