Fedora 41 template updating with salt failing

User Support General
1

I’m seeing errors trying to update Fedora 41 Templates via salt, where the exact same salt recipes worked without issue, going back as long as dnf4 was the update mechanism.

I’m doing nothing irregular, but dnf5 seems to be unhappy with old flags:

install_brave_app:
  pkg.latest:
    - pkgs:
      - brave-browser

and the errors in dom0 are:

2025-03-26 08:06:48,404 output:           ID: install_brave_app
2025-03-26 08:06:48,404 output:     Function: pkg.latest
2025-03-26 08:06:48,404 output:       Result: False
2025-03-26 08:06:48,404 output:      Comment: An error was encountered while installing package(s): Error occurred installing package(s). Additional info follows:
2025-03-26 08:06:48,404 output:               
2025-03-26 08:06:48,404 output:               changes:
2025-03-26 08:06:48,404 output:                   ----------
2025-03-26 08:06:48,404 output:               errors:
2025-03-26 08:06:48,404 output:                   - Running as unit: run-r7741658cb8b545dcb47b14c9405b592c.scope; invocation ID: e03b878aed92486ab8b164a217dc2a2e
2025-03-26 08:06:48,404 output:                     Unknown argument "--allowerasing" for command "dnf5". Add "--help" for more information about the arguments.
2025-03-26 08:06:48,404 output:                     The argument is available for commands: builddep, group upgrade, group install, swap, reinstall, downgrade, debuginfo-install, distro-sync, upgrade, install. (It has to be placed after the command.)
2025-03-26 08:06:48,404 output:      Started: 08:06:44.998034
2025-03-26 08:06:48,404 output:     Duration: 889.98 ms
2025-03-26 08:06:48,404 output:      Changes:   
2025-03-26 08:06:48,404 output: ----------

I am fully updated in dom0:

xen_version            : 4.17.5
Linux 6.7.7-1.qubes.fc37.x86_64
  
Installed Packages:  
  
fwupd-qubes-dom0.noarch                           	1.8.14-5.fc37 
grub2-qubes-theme.x86_64                          	5.14.4-5.fc37 
python3-qubesadmin.noarch                         	4.2.17-1.fc37 
python3-qubesdb.x86_64                            	4.2.7-1.fc37 
python3-qubesimgconverter.x86_64                  	4.2.19-1.fc37 
qubes-anaconda-addon.noarch                       	4.2.7-1.fc37 
qubes-artwork.noarch                              	4.2.3-1.fc37 
qubes-artwork-anaconda.noarch                     	4.2.3-1.fc37 
qubes-artwork-plymouth.noarch                     	4.2.3-1.fc37 
qubes-audio-daemon.x86_64                         	4.2.9-1.fc37 
qubes-audio-dom0.x86_64                           	4.2.9-1.fc37 
qubes-core-admin-addon-whonix.noarch              	4.1.3-1.fc37 
qubes-core-admin-client.noarch                    	4.2.17-1.fc37 
qubes-core-dom0.noarch                            	4.2.37-1.fc37 
qubes-core-dom0-linux.x86_64                      	4.2.33-1.fc37 
qubes-core-dom0-linux-kernel-install.x86_64       	4.2.33-1.fc37 
qubes-core-qrexec.x86_64                          	4.2.23-1.fc37 
qubes-core-qrexec-dom0.x86_64                     	4.2.23-1.fc37 
qubes-core-qrexec-libs.x86_64                     	4.2.23-1.fc37 
qubes-db.x86_64                                   	4.2.7-1.fc37 
qubes-db-dom0.x86_64                              	4.2.7-1.fc37 
qubes-db-libs.x86_64                              	4.2.7-1.fc37 
qubes-desktop-linux-common.noarch                 	4.2.12-1.fc37 
qubes-desktop-linux-manager.noarch                	4.2.25-1.fc37 
qubes-desktop-linux-menu.noarch                   	1.2.1-1.fc37 
qubes-dom0-meta-packages.noarch                   	4.2.14-1.fc37 
qubes-dom0-unwanted-packages.noarch               	4.2.14-1.fc37 
qubes-gpg-split-dom0.noarch                       	2.0.76-1.fc37 
qubes-gui-daemon.x86_64                           	4.2.9-1.fc37 
qubes-gui-dom0.x86_64                             	4.2.9-1.fc37 
qubes-img-converter-dom0.noarch                   	1.2.18-1.fc37 
qubes-input-proxy.x86_64                          	1.0.40-1.fc37 
qubes-input-proxy-receiver.x86_64                 	1.0.40-1.fc37 
qubes-input-proxy-sender.x86_64                   	1.0.40-1.fc37 
qubes-kernel-vm-support.x86_64                    	4.2.19-1.fc37 
qubes-libvchan-xen.x86_64                         	4.2.7-1.fc37 
qubes-manager.noarch                              	4.2.9-1.fc37 
qubes-menus.noarch                                	4.2.12-1.fc37 
qubes-mgmt-salt.noarch                            	4.2.2-1.fc37 
qubes-mgmt-salt-admin-tools.noarch                	4.2.2-1.fc37 
qubes-mgmt-salt-base.noarch                       	4.1.7-1.fc37 
qubes-mgmt-salt-base-config.noarch                	4.1.2-1.fc37 
qubes-mgmt-salt-base-topd.noarch                  	4.2.1-1.fc37 
qubes-mgmt-salt-config.noarch                     	4.2.2-1.fc37 
qubes-mgmt-salt-dom0.noarch                       	4.2.2-1.fc37 
qubes-mgmt-salt-dom0-qvm.noarch                   	4.2.1-1.fc37 
qubes-mgmt-salt-dom0-update.noarch                	4.2.2-1.fc37 
qubes-mgmt-salt-dom0-virtual-machines.noarch      	4.2.19-1.fc37 
qubes-pdf-converter-dom0.noarch                   	2.1.23-1.fc37 
qubes-release.noarch                              	4.2-12.fc37 
qubes-release-notes.noarch                        	4.2-12.fc37 
qubes-repo-templates.noarch                       	4.2.2-1.fc37 
qubes-rpm-oxide.x86_64                            	0.2.8-1.fc37 
qubes-usb-proxy-dom0.noarch                       	1.3.3-1.fc37 
qubes-utils.x86_64                                	4.2.19-1.fc37 
qubes-utils-libs.x86_64                           	4.2.19-1.fc37 
xfce4-settings-qubes.noarch                       	4.2.3-1.fc37

So I’m assuming it means that somewhere in qubes-mgmt-salt*, there’s still hardcoded-reliance on --allowerasing that is keeping this from working.

Any ideas? Do I need to use different salt recipes?

1 Like
2

You can run an update script using cmd module

p.s. dnf5 works with --allowerasing, or at least it claims to do so in the manual, most likely current state module puts it before the subcommand, not after as it should with dnf5

1 Like
3

With Fedora 40 going EOL soon, and Fedora 41 (and thus dnf5) becoming the primary supported template, I feel this then is a bug in Qubes 4.2.*

I know I can update templates the normal way (prescribed in docs), but I assume we want the current recommended template to be working with salt, which is still kind of an important component of the Qubes ecosystem.

I’ve toyed around with all the recipes in /usr/lib/python3.11/site-packages/salt containing --allowerasing, but none seem to have an impact when running salt state. Happy to get more guidance and do the legwork myself, but just at a roadblock.

4

I have checked and pkg.latest totally works lol. Update your template manually, maybe it has old salt packages or something.

When I think about it, pkg.installed have been fixed a month or two ago, most likely pkg.latest have been fixed in the same update.

5

Thanks for following up. I’m not too sure where to go, here are the version I’m working with

[user@dom0 ~]$ qvm-template list --installed
Installed Templates
debian-12          0:4.2.0-202308072102  qubes-templates-itl
debian-12-minimal  0:4.2.0-202308031621  qubes-templates-itl
fedora-40          0:4.2.0-202405290238  qubes-templates-itl
fedora-40-minimal  0:4.2.0-202404260902  qubes-templates-itl
fedora-41          0:4.2.0-202412200202  qubes-templates-itl

So, a stock fedora-41 (cloned) seems to be from Dec 2024, which is the dnf I’m relying on.

[user@dom0 ~]$ sudo qubes-dom0-update --action=upgrade qubes-template-fedora-41
Using sys-protonwg as UpdateVM for Dom0
Downloading updates. This may take a while...
Redirecting to 'qvm-template upgrade  fedora-41'
Template 'fedora-41' of highest version already installed, skipping...

Are you using the qvm-template installed version without any changes? Or did you upgrade in the template at least once before testing this?

Removing and retrying:

[user@dom0 ~]$ sudo qubes-dom0-update --action=install qubes-template-fedora-41
Using sys-protonwg as UpdateVM for Dom0
Downloading packages. This may take a while...
Redirecting to 'qvm-template install  fedora-41'
Downloading 'qubes-template-fedora-41-0:4.2.0-202412200202'...
qubes-template-fedora-41-0:4.2.0-202412200202:   1%|█

Still seems to be the December 2024 one.

6

No, not the default template, just one of my fedora 41 qubes. Yes, the template have been upgraded.

Maybe this fix is shipped via package manager and isn’t included into the template yet.

7

I feel like it’s reasonable to expect that dnf5 would work out of box given that the QubesOS 4.2.0 version of dom0 matches the 4.2.0 of the template.

I just ran the qubes-updater on the fedora-41 template, stock. It’s not resolving the issue. I know I can do this manually, but using salt seemed like the clean, programatic way to do it.