Really confused. Are you able to install any template as of today since integration of qvm-template?!
EDIT: seems like qubes-dom0-update talks correctly through update proxy of sys-whonix/sys-firewall, but that qubes-repo-templates package and logic of appvm reuses that appvms proxy-forwarder if one is defined.
Sorry for the noise, my setup is special: I have whonix templates updates cached by a modified shaker/cacher apt-cacher-ng setup.
My issue is that sys-whonix repositories are modifed to be conform to apt-cacher-ng format (http://HTTPS/// urls in repository related files) where qubes-repo-templates package basically deploys new repository file definition and GPG keys, and that file was not modified to be compliant with apt-cacher-ng expected format.
Note that shaker/cacher currently excludes whonix templates support and that my bug affects me and me alone, having sys-whonix check for updates related to whonix-gw-16 (qubes-update-check service) and have sys-whonix use apt-cacher-ng proxy per dom0 policy and activation through updates-proxy-setup service activated).
My setup is not a recommended deployment, while whonix support under shaker/cacher is discussed over @unman shaker/cacher relative issue.
I do not see @unman’s shaker/cacher being impacted by this issue if sys-whonix is left alone by cacher and left for dom0 to use it as dom0 updatevm (option at install).
@unman: I see a possible issue though if sys-firewall is used as dom0 updatevm and if sys-firewall is used to report dom0 updates, while sys-firewall has updates-proxy-setup enabled with dom0 policy permitting @anyvm to talk through apt-cacher-ng. As I remember the conclusion of our talks, you were against doing that, expecting users to update all templates prior of usage, so no template updates notifications to users. Otherwise, users enabling update checks through cacher will need both inotifywatch daemon and cacher_configure script to rewrite repository definitions under /etc/qubes/repo-templates/qubes-templates.repo, which is a new requirements of qvm-template but currently not deployed under Qubes template
[user@dom0 ~]$ qvm-service sys-firewall
qubes-update-check on
updates-proxy-setup on
From having updates-proxy-setup service enabled for dom0 updatevm, that would mean that updatevm would have dom0 template downloaded through apt-cacher-ng as well and then passed to dom0’s updatevm… I am reconsidering having updates notifications when using cacher and not sure how to go forward.
If can help please tell how. sys-whonix updatevm here no cacher. Test for Insurgo because he treasure. unman also extraordinary precious wizard so happy if can help. Now have qubes-repo-templates install in whonix-gw-16. Should revert? What tests useful?
I have not extensively tested this. I have just witnessed that qubes-repo-templates package is not installed under debian/fedora/whonix, as referred in currently opened issue, with mea culpa telling my setup was the cause of my issue (cacher with repositories all modified to be compatible with apt-cacher-ng. Therefore, newly deployed repositories by qubes-repo-templates package in templates were not apt-cacher-ng compatible and the requests from those templates simply silently failed, until I deactivated updates-proxy-setup service, with qubes-repo-templates package installed to infirm my prior hypothesis. I configured my qubes to check and report to dom0 for available updates, and to do so, I need those templates to be apt-cacher-ng compatible, and use apt-cacher-ng update proxy through enabling updates-proxy-setup on those qubes. By doing so, not modifying /etc/qubes/repo-templates/qubes-templates.repo, deployed by qubes-repo-templates package results in dom0 qvm-template failing. Other configuration will oviously have different result, while qubes-repo-templates package still needs to be deployed and Qubes documentation updated accordingly and where shaker/cacher currently is not affected by the bad behavior, simply because cacher use case relies on users manually updating templates and not relaying on qubes reporting available updates (qubes-update-check service on qubes) nor having qubes rely on apt-cacher-ng to report such updates nor use apt-cacher-ng to fetch repository packages (updates-proxy-setup is nly enabled on Templates through shaker/cacher. App qubes, such as sys-firewall if defined as qubes dom0 updatevm, will be used through normal https connection and won’t fail qvm-template calls from dom0 if cacher is not used. @unman : makes sense?
Conclusion is confirming that qvm-template is lacking proper error reporting in case qubes-repo-templates is not deployed on dom0’s updatevm Template, current Qubes OS documentation not referring to qvm-template at all, while requirements of a additioanl qubes-repo-templates package deployment under templates is nowhere to be found, nor automatically installed.
@Confused : can you validate that
[user@dom0 ~]$ qvm-prefs sys-firewall template
What is template?
If template Fedora/Debian without qubes-repo-templates package installed in that template:
[user@dom0 ~]$ qubes-prefs updatevm sys-firewall
[user@dom0 ~]$ qvm-template install fedora-37
Which didn’t give any output, which is what I confirmed being bogus since whonix-gw-16, Fedora-36 and Debian-11 standard templates should have qubes-repo-templates package installed by default. Not sure what @unman meant there:
Since from your sole current testing, you confirmed that whonix-gw-16 is not deploying qubes-repo-templates package, where I confirmed that it was not deployed under fedora-36.
A quick check on debian-11 template:
user@debian-11:~$ sudo apt install qubes-repo-templates
[...]
After this operation, 19.5 kB of additional disk space will be used.
Get:1 http://HTTPS///deb.qubes-os.org/r4.1/vm bullseye/main amd64 qubes-repo-templates amd64 4.1.2-1+deb11u1 [5,028 B]
Fetched 5,028 B in 0s (24.4 kB/s)
Selecting previously unselected package qubes-repo-templates.
(Reading database ... 167991 files and directories currently installed.)
Preparing to unpack .../qubes-repo-templates_4.1.2-1+deb11u1_amd64.deb ...
Unpacking qubes-repo-templates (4.1.2-1+deb11u1) ...
Setting up qubes-repo-templates (4.1.2-1+deb11u1) ...
Confirms that qubes-repo-templates packages should be installed in all templates, otherwise its a bug.
My conclusion is that qvm-template being used under dom0 is currently missing an expected package dependency all standard deployed templates (whonix-gw-16+, debian-11+ and fedora-36+), that is, qubes-repo-templates deployed as default.
Or the repository file should come with what provides /usr/lib/qubes/qvm-template-repo-query script: qubes-core-agent-dom0-updates, or qubes-core-agent-dom0-updates having a dependency on qubes-repo-templates packages for all distributions.
Test update proxy.
In template-updater, install qubes-core-agent-networking.
Enable qubes-updates-proxy service in updater.
Set updater as default target for qubes.UpdateProxy in
/etc/qubes/policy/30-user.policy
Update a template? OK
Test dom0 updates.
In template-updater, install qubes-core-agent-dom0-updates
qubes-prefs updatevm updater
Restart updater. Confirm that qubes-repo-templates is not installed , and
there are no definitions of dom0 template repositories under /etc/qubes
In dom0, run qvm-template list. OK
qvm-template-gui, install a template. OK
Test modified repo definitions.
Modify repositories in templates-updater to be compatible with
apt-cacher-ng.
Shutdown template-updater.
restart updater.
Update a template? OK
In dom0, run qvm-template list. OK
qvm-template-gui, install a template. OK
Conclusion
The only package required to act as updatevm, beside networking, is qubes-core-agent-dom0-updates.
Both debian-11 and fedora-36 templates can be used as base for updatevm
qube, and work without adding qubes-repo-templates package.
I am not saying there is no issue. I am saying you have not identified
the issue, and have generalised to a faulty conclusion.
You should change the title and edit the first entry to make the position
clear.
Hi,
I’m suffering of similar troubles after installing cacher and I can confirm that in my cacher qube isn’t installed qubes-core-agent-dom0-updates.
Do You think installing it may solve my troubles?
Can I do any other check You think may be useful for clarify the problem?
Thanks a lot,
cheers,
M.
@unman : i will retest again next week.
I clarified my setup, where other users missing qubes-repo-templates package (the repository file for templates repositories is provided by quebes-repo-templates under dom0’s updatevm’s template)
I agree this lacks systemic testing.
Was not yet able to install new template following your extra-space additional thin LVM, since additional paths under dom0 are used by qvm-template as opposed to qubes-dom0-update (dom0’s ~/.cache is used to store piped rpm to dom0, as well as /var/tmp paths for extraction). As of now, my wyng metadata cache under dom0 is consuming a lot of space which prevents me to test qvm-template download systematically from clean setup).
Simply installing cacher should not (and in most cases does not) cause
problem.
What exactly is your set-up?
What is your updatevm - qubes-prefs or Global Settings GUI.
What is template for updatevm?
Have you made any other changes?
Hi unman,
sorry, I’ve mispelled it.
When talking about troubles, I’m talking about templates not cached by cacher qube (as oel 8 and similiar).
I’ve tried putting proxy in yum.conf, but it still cannot reach external internet.
$ qubes-prefs updatevm
sys-whonix
but I’ve yet tried to put it to somewhat else, without succeding.
Thanks for Your help!
Cheers,
M.
I can wipe it off and ask for it to be synced back prior of next backup through arch-init from.
Will test again next week, but as of now I’m really puzzled by you saying quebes-repo-templates not being needed. What that package provides is repo definition for dom0 templates + gpg signatures, nothing more or less.
Why puzzled?
If you use a Debian updatevm, do you install the fedora 32 dom0 repository
definitions?
If you add a new repository in dom0, do you add that definition in the updatevm?
Because qubes-dom0-update and qvm-template are not calling the same codepaths, and because qubes-repo-templates package is explicitly dom0 templates repo definitions to be added to dom0’s updatevm’s Template and exist for debian, fedora, and because rpc calls depend on the /etc/qubes/templates-repo/repo to be defined under dom0 updatevm template, and are fedora-32 related because of dom0. Have you checked what qubes-repo-template provides on debian/fedora templates?
I will check again like said but now there is something I do not understand for sure with qvm-template requirements and will read code linked to dom0 rpc calls linked to qvm-template. I checked quickly with and without qubes-repo-templates, thought i understood but now I definitely doubt with you saying that package is not required.