Dom0 Doesn't Always Show Updates Available

I have also experienced this. Even if I can’t see the dom0 update, sometimes I do manual update using qubes-update-tool instead of terminal. As the wiki says, it’s not safe to do it with the terminal.

DemiMarie commented on Jul 3, 2021

According to the DNF developers, this is a Salt bug.

Congrats to regular users who just want to update their system and aren’t confused what to do trying to do that. I admit I am.

1 Like

Just tried “Update qube” in Qube Manager for dom0, and it found updates which were not shown in the update widget. Indeed looks concerning.

Same here, today.

This section explains what you should do, step-by-step:

https://www.qubes-os.org/doc/how-to-update/#command-line-interface

That could simply be because you manually updated in between automatic update checks.

  1. Your machine automatically checks for updates. (None found.)
  2. New updates appear on the server.
  3. You manually try to update. (Find updates.)
  4. Your machine automatically checks for updates again. (Would have found the updates, except you already manually ran the updater, so you already have them.)

This can happen with any update system, unless it’s constantly checking or updates are being “pushed” to it in real time as soon as they’re available, but I don’t think any operating system works that way.

A post was split to a new topic: Should I autoremove whonix-gw-16?

In every Debian template and standalone: apt-get clean && apt-get -y update && apt-get -y dist-upgrade && apt-get clean

this actually fails with :

E: Could not open lock file /var/cache/apt/archives/lock - open (13: Permission denied)
E: Unable to lock directory /var/cache/apt/archives/
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/

works fine with no leading $sudo apt-get clean and without the && , but guess I read in

that beginning with the $sudo apt-get clean matters?

afaik, I don’t have any dom0 silent update fails, but ran through the commands anyway …

I posted the whonix-ws-16 post because using the dom0 --templates command the command ‘hung’ on the -ws-16, so I went into a template terminal and ran the $sudo apt update / upgrade / clean, (again the leading ‘clean’) fails …

Of course we’re aware of the procedure. But, it is related to #6585 and what we have here is

So, that is where my confusion comes from. What is mitigation for this and all other recent issues? And if that procedure (should) help(s) with all of them, then it should be clearly stated.

I understand @unman to be saying that the original topic of this forum thread is separate (i.e., a distinct matter) from #6585, which is correct. It appears that some folks in this thread took a cursory glance at #6585, saw a bunch of similar-sounding key words, and arrived at the mistaken conclusion that the two are connected in some significant way.

Again, the mitigation for #6585 is clearly stated here:

https://www.qubes-os.org/doc/how-to-update/#command-line-interface

Notice the part beginning with, “As a temporary mitigation until #6585 is fixed, the following update sequence is recommended (see PR #79 for explanation and discussion): […]”

As for “all other recent issues,” you’ll have to be more specific. If they’re off-topic for this thread, they should be discussed elsewhere.

As quoted above, it’s intended to be a mitigation only for #6585, nothing more. Whether it also happens to help with any other things depends on what those other things are.

Not similar words, not significant way, but possibly related?

But, what is mitigation for this issue?

I wouldn’t expect such a noisy wording, but maybe it sounds not nice to me because English is not my first language.

as I understood, this is the mitigation for the #6585 (which has nothing to do with the issue I posted here):

What I still don’t understand, is why should I still update with Salt in the first step, if Salt falsely claims to succeed when it actually fails???

So I update via direct commands in dom0 and don’t think about Salt, till the issue #6585 is solved. It’s rather annoying, but so it is.

1 Like

The position seems clear to me, so I will try to make it clear.

#6585 reports that the update mechanism based on Salt will sometimes
fail, but that the update tool will report success. This is probably
due to the salt state failing to correctly parse output from native
update tools( dnf/apt-get/ etc).

This issue reports that the update tool does not report when there
are updates available for dom0.
There may be a number of causes:-

  1. The “check for updates” never runs.
  2. The check for updates runs, but the output is incorrectly parsed, so
    the update tool does not report updates available.
  3. The check runs, the output is correctly parsed, but the trigger for
    displaying a warning of available updates does not fire.
  4. The trigger fires, but the display mechanism is broken.

There are probably other routes to failure.
Case 2 may be related to #6585 - it is possible that fixing salt for
#6585 will fix this issue.

If this is a genuine issue in 4.1 the mitigation would be to run a dom0
update manually, using qubes-dom0-update.
That is, as a matter of fact, the same mitigation suggested to deal
with #6585.
Even if the root causes are completely different, the same mitigation
may apply
. This is not unusual.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

I’m f… confused.
Salt falsely claims to succeed when it actually fails, so why should I use Salt for the update process??

And I did not write “direct command”, but “direct command in dom0”. It’s big difference and is just the mitigation of the #6585 issue. The question is, why should I still use Salt on the first step??

I was hoping to clear up confusion.

There are some cases where Salt does not report failure. In most cases
it does report failure correctly.
As has been repeatedly said, Salt is the current route for distributing configuration and update
changes.
If you do not use the update tool you will not get these.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

I thank you for this clear answer. I hope you understand regular user(s) are or were confused, so your response is exactly what we (I) needed.

you surely cleared some central points, but does it make sense to use Salt, if it works just in “most cases”? Because I can not see, if in that particular case the Salt reports the succeeded update or not.

I now realize that we simply don’t have an alternative. We are advised to use procedure for #6585 and there isn’t anything else that can be done at the moment.

That’s i understood, but why is there Salt in the first step, if Salt does not deliver reliable result?

I mean these steps:

Update dom0 with Salt.
Update dom0 by direct command.
Update templates and standalones with Salt.
Update templates and standalones by direct commands.

Why not just
Update dom0 by direct command.
Update templates and standalones by direct commands (in dom0)

Or do I still understand something wrong? :slight_smile:

AFAIK there are things which cannot be updated with the direct commands. Also, Salt is already almost reliable and will become fully reliable soon. There are some explanations in my links.

1 Like