How to chroot into non-bootable VM the proper way?

daniel2 · October 5, 2022, 7:16pm

How do I chroot into a VM I cannot run any programs on?

background

Yesterday I noticed that in all my debian-based VMs (templates and standalones) I had multiple packages that could be removed.
I suspect that this was the case because I did in-place upgrades from Debian 10 to Debian 11 a while ago, rendering some old packages obsolete.
I ran sudo apt autoremove in my Debian 11 templates and standalones.
Now I cannot start any program on any of these VMs anymore .

approach 1

I followed this guide and manually attached an affected VM’s root storage to a disposable (whonix disposable, eg. having internet access).

Now I mounted /dev/xvdi3 in /mnt in the disposable and chrooted into it.
I am pretty confident that the autoremove caused this problem, so I came up with this epic command:

# don't tell me about regex repetition
grep "^2022-10-04 [0-9][0-9]:[0-9][0-9]:[0-9][0-9] remove " /var/log/dpkg.log |
    cut -d' ' -f4 |
    cut -d: -f1

This should essentially give me a list of all programs that were removed yesterday (correct me if that’s not the case).

output:

libbotan-2-17
libtspi1
linux-headers-5.10.0-10-amd64
linux-headers-5.10.0-10-common
linux-headers-5.10.0-11-amd64
linux-headers-5.10.0-11-common
linux-headers-5.10.0-12-amd64
linux-headers-5.10.0-12-common
linux-headers-5.10.0-13-amd64
linux-headers-5.10.0-13-common
linux-headers-5.10.0-14-amd64
linux-headers-5.10.0-14-common
linux-headers-5.10.0-15-amd64
linux-headers-5.10.0-15-common
linux-headers-5.10.0-16-amd64
linux-headers-5.10.0-16-common
linux-headers-5.10.0-8-amd64
linux-headers-5.10.0-8-common
linux-headers-5.10.0-9-amd64
linux-headers-5.10.0-9-common
linux-image-5.10.0-10-amd64
linux-image-5.10.0-11-amd64
linux-image-5.10.0-12-amd64
linux-image-5.10.0-13-amd64
linux-image-5.10.0-14-amd64
linux-image-5.10.0-15-amd64
linux-image-5.10.0-16-amd64
linux-image-5.10.0-8-amd64
linux-image-5.10.0-9-amd64
qubes-core-agent-qrexec

I suspect that qubes-core-agent-qrexec should not have been removed…

When trying to reinstall a package I get an error about unmet dependencies:

root@host:/# sudo apt install libbotan-2-17
sudo: unable to resolve host host: Name or service not known
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 libbotan-2-17 : Depends: libtspi1 (>= 0.3.1) but it is not going to be installed
 qubes-core-agent : Depends: xen-utils-guest but it is not going to be installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).

When running sudo apt --fix-broken install it suggests to remove linux-headers-amd64 which I deemed to be a bad idea (thus I declined to do so).

approach 2

On my journey through the internet looking for a fix I encountered xl.
Running sudo xl console 377 (where 377 was the ID of the VM retrieved by running sudo xl list with the VM running) in dom0 returned an error:

libxl: error: libxl_dom.c:40:libxl__domain_type: unable to get domain type for domid=377
Unable to attach console

Note: This VM was a standalone, just in case this is of importance here.

current state of things

I had this problem with one VM a long time ago and simply “fixed” it by mounting the private storage of the affected VM to a disposable and copying my files to a newly created VM.
However, this is not an option (not if avoidable), as all my Debian templates and standalones are affected.
Having to set up each VM manually again would take days / weeks.

Because of that I would like to properly chroot into my VM (with all partitions attached, private and root storage etc.) and try to reinstall the removed packages.

If there is an obvious / easy fix, please let me know.
Although I have backups, these are ca. 1 week old, there has been a lot of change since then.

PS: I do acknowledge that it is pretty silly to simply autoremove without checking…

Yesterday I also encountered that in many of my Debian 11 VMs, my /etc/apt/sources.list.d/qubes-r4.list contained a Qubes 4.0 entry instead of Qubes 4.1.
I changed these entries to deb [arch=amd64] https://deb.qubes-os.org/r4.1/vm bullseye main (note the 4.1 instead of 4.0). I also ran sudo apt update after this change, and it worked (making me believe this was no problem).
I included this here just in case it has something to do with the problem.

I hope you can help me out with this.
If we get this fixed I will submit a “How-to” topic in “Guides”

daniel2 · October 6, 2022, 9:12pm

UPDATE

I “fixed” the issue manually now:

First, I renamed all affected VMs to {VM_NAME}_broken.
Then I restored my backup of all affected qubes.
Then I moved all files that changed since the backup was made over to the restored VMs (by using this).
Then I refreshed all applications in these VMs, as these got confused in the process.
Finally I deleted all *_broken VMs.

I am now back to where I was before: I have many VMs indicating that they are running out of disk space in root storage.

$ df -h
df: /run/user/1000/doc: Operation not permitted
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvda3      9.6G  9.0G   67M 100% /
none            9.6G  9.0G   67M 100% /usr/lib/modules
devtmpfs        4.0M     0  4.0M   0% /dev
tmpfs           1.0G     0  1.0G   0% /dev/shm
tmpfs            58M  756K   57M   2% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
/dev/xvdb       2.0G   37M  1.9G   2% /rw
tmpfs            29M   44K   29M   1% /run/user/1000

My /usr/lib/modules is 100% full.
I could just give the VM more root storage space using qvm-volume extend {VM_NAME}:root +XG, but this does not eliminate the problem, rather this gives in to an underlying issue.
I am pretty sure this is the root of storage consumption:

$ sudo apt autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  linux-headers-5.10.0-10-amd64 linux-headers-5.10.0-10-common
  linux-headers-5.10.0-11-amd64 linux-headers-5.10.0-11-common
  linux-headers-5.10.0-12-amd64 linux-headers-5.10.0-12-common
  linux-headers-5.10.0-13-amd64 linux-headers-5.10.0-13-common
  linux-headers-5.10.0-14-amd64 linux-headers-5.10.0-14-common
  linux-headers-5.10.0-15-amd64 linux-headers-5.10.0-15-common
  linux-headers-5.10.0-16-amd64 linux-headers-5.10.0-16-common
  linux-headers-5.10.0-8-amd64 linux-headers-5.10.0-8-common
  linux-headers-5.10.0-9-amd64 linux-headers-5.10.0-9-common
  linux-image-5.10.0-10-amd64 linux-image-5.10.0-11-amd64
  linux-image-5.10.0-12-amd64 linux-image-5.10.0-13-amd64
  linux-image-5.10.0-14-amd64 linux-image-5.10.0-15-amd64
  linux-image-5.10.0-16-amd64 linux-image-5.10.0-8-amd64
  linux-image-5.10.0-9-amd64
0 upgraded, 0 newly installed, 27 to remove and 0 not upgraded.
After this operation, 3,245 MB disk space will be freed.
Do you want to continue? [Y/n]

I declined that, as this will cause issues, as I experienced…

How do I remove these packages without breaking my system again?

enmus · October 7, 2022, 2:27pm

Except now qubes-core-agent-qrexec is not on the list?