Enabling Qubes onion repositories for fedora templates

I followed the Whonix wiki on “onionizing” repositories, for Fedora they mention that once should:

Note: Updating Fedora templates exclusively over Onion Services is not possible – only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.

‘’‘1.’’’ In Fedora Template, open the qubes-r4.repo file in a text editor. At the time of writing Qubes-R4 was the current stable release.

sudo gedit /etc/yum.repos.d/qubes-r*.repo
  • uncomment the lines that contain Qubes_onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r4.1/current/vm/fc$releasever
baseurl = http://yum.{{Qubes_onion}}/r4.1/current/vm/fc$releasever

Save and exit.

‘’‘2.’’’ In Fedora Template, confirm the onion service repositories are functional.

sudo dnf update

The problem is that after I did that step and tried to download a specific package from the Qubes repositories for testing purposes I was met with this error:

[MIRROR] libxdo-3.20210804.2-2.fc35.x86_64.rpm: Curl error (6): Couldn't resolve host name for http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/current/vm/fc35/rpm/libxdo-3.20210804.2-2.fc35.x86_64.rpm [Could not resolve host: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion]
[MIRROR] libxdo-3.20210804.2-2.fc35.x86_64.rpm: Curl error (6): Couldn't resolve host name for http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/current/vm/fc35/rpm/libxdo-3.20210804.2-2.fc35.x86_64.rpm [Could not resolve host: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion]
[FAILED] libxdo-3.20210804.2-2.fc35.x86_64.rpm: No more mirrors to try - All mirrors were already tried without success
(22-23/29): qt5-qtto 42% [========-           ] 158 MB/s |  13 MB     00:00 ETA
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Error downloading packages:
  libxdo-1:3.20210804.2-2.fc35.x86_64: Cannot download, all mirrors were already tried without success

I don’t know how to fix it. I already have a package such as torsocks installed. Also in the Qubes Global Settings I have sys-whonix as the default dom0 update qube.

You need to change the update qube for your templates as well:

Thanks @tzwcfq I already did it before during the Qubes 4.1 installation so I don’t think that’s the issue here:

[user@dom0 ~]$ sudo cat /etc/qubes-rpc/policy/qubes.UpdatesProxy 
$type:TemplateVM $default allow,target=sys-whonix
$tag:whonix-updatevm $default allow,target=sys-whonix
$tag:whonix-updatevm $anyvm deny

Did sudo dnf update work for you with onion repository before you tried to install a specific package from the Qubes repository?

Nope.

[user@test-vm ~]$ sudo dnf update
Qubes OS Repository for VM (updates)            0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'qubes-vm-r4.1-current':
  - Curl error (6): Couldn't resolve host name for http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/current/vm/fc35/repodata/repomd.xml [Could not resolve host: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion]
Error: Failed to download metadata for repo 'qubes-vm-r4.1-current': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

Is that AppVM you’re trying to install the package in or a TemplateVM?

I think you nailed it. Package installs properly on a TemplateVM (was trying to install it on the AppVM just for testing purposes).

I can live with that, I don’t think it’s a big problem but do you think this kind of behavior is to be expected and not a bug?

Do you have sys-whonix as netvm for test-vm?

1 Like

Oh yeah I completely forgot that, that was the problem! Thank you so much!

Why doesn’t this happen with debian-11 based AppVMs though even if I use them with sys-firewall? Is it because of apt-transport-tor?

Do you have tor running inside these debian-11 AppVM? Maybe you installed tor package in debian template?
In that case if you tor-over-tor connection if you use debian AppVM with sys-whonix netvm.

1 Like

Yeah that was the reason, debian was using the system-tor.