CLI updates without disp-mgmt-* qubes in 4.2?


In Qubes 4.1 I used to update templates using these commands.

In 4.2 they still work, however the way the GUI updater, Qubes OS Update, works seems different - unlike the commands from above, it no longer starts an additional disp-mgmt-* qube but updates the templates directly.

My questions are:

  • Why is it different in 4.2?

  • How can I update from command line in the 4.2 way, i.e. without starting disp-mgmt-* disposables?

The new update tool is named qubes-vm-update:

usage: qubes-vm-update [-h] [--max-concurrency MAX_CONCURRENCY] [--restart] [--no-cleanup] [--targets TARGETS | --all | --update-if-stale UPDATE_IF_STALE] [--skip SKIP] [--templates] [--standalones] [--app]
                       [--dry-run] [--log LOG] [--no-refresh] [--force-upgrade] [--leave-obsolete] [--show-output | --quiet] [--no-progress]

  -h, --help            show this help message and exit
  --max-concurrency MAX_CONCURRENCY
                        Maximum number of VMs configured simultaneously (default: number of cpus)
  --restart             Restart AppVMs whose template has been updated.
  --no-cleanup          Do not remove updater files from target qube
  --targets TARGETS     Comma separated list of VMs to target
  --all                 Target all non-disposable VMs (TemplateVMs and AppVMs)
  --update-if-stale UPDATE_IF_STALE
                        DEFAULT. Target all TemplateVMs with known updates or for which last update check was more than N days ago. (default: 7)
  --skip SKIP           Comma separated list of VMs to be skipped, works with all other options.
  --templates           Target all TemplatesVMs
  --standalones         Target all StandaloneVMs
  --app                 Target all AppVMs
  --dry-run             Just print what happens.
  --log LOG             Provide logging level. Values: DEBUG, INFO (default) WARNING, ERROR, CRITICAL
  --no-refresh          Do not refresh available packages before upgrading
  --force-upgrade       Try upgrade even if errors are encountered (like a refresh error)
  --leave-obsolete      Do not remove obsolete packages during upgrading
  --show-output         Show output of management commands
  --quiet               Do not print anything to stdout
  --no-progress         Do not show upgrading progress.

It’s similar to qubesctl. You can target specific qubes and set the max concurrency for example.

As for why it was changed, I can’t answer for the developers, but I suspect it was done to remove the salt dependency and all the problems associated with it (deprecated dependencies related to salt and distro patches breaking things, for example).

1 Like


How did you learn about this new tool? (trying to figure why I have missed it)

I check the Qubes OS github quite often, and I spotted a few pull requests related to it a while back, so I started using it in 4.2 instead of the GUI. It’s used by the Qubes updater in the background, you can check for example with ps aux while it’s doing updates.

I don’t think it’s officially announced anywhere, so it’s a bit hidden for now. Might be a good idea to add it to the “How to update” documentation.


Might be a good idea to add it to the “How to update” documentation.

Indeed. Have you suggested that on GitHub?

I don’t have an account there unfortunately, and the signup process isn’t really TOR friendly the last time I checked.

It works with Tor but requires JS for the captcha. After most things work with JS disabled. In the worst case, you will be pseudonymous (just like on Qubes forum).

Maybe something has changed, btu Github wasn’t Tor-friendly.
It caused issues on the registration or afterwards.

Maybe something has changed, btu Github wasn’t Tor-friendly.

Can we probably have this thread split?