Hello,
I like to download some packages in template via apt install -y --download-only <package>, so that they can be later installed temporarily within an AppVM based on this template. This helps me to reduce the amount of needed templates. I read about /etc/qubes/post-install.d hooks, created a new, executable file 10-apt-download-only.sh within the template and pasted inside
#!/bin/sh
apt install -y --download-only vlc
, but somehow this does not get executed (judging from looking at /var/cache/apt/archives). What would be the proper way to keep these downloaded packages up-to-date with “Qubes Update” tool?
You need to setup apt-cacher-ng in a qube, there are some tutorials on the forum. It works well with debian IMO, but for me it has been painful to configure for fedora…
(Adding to the previous answer: search the forum for “apt-cacher-ng” or simply “cacher”, and you’ll find a number of threads about how to set it up.)
Thanks @gonzalo-bulnes and @solene for both your answers. I am aware of apt-cacher-ng - there are two reasons against it for my scenario:
Caching of packages within Whonix
Additional overhead
For 1. I am not sure, if apt-cacher-ng can be integrated with Whonix. Also I don’t think clearnet cache should be mixed in any way with traffic from Whonix. And since I am only using one Whonix template and spawn multiple AppVMs from it, it might be used directly to cache needed packages with plain apt.
Regarding 2. this is the kind of overhead with separate qube and configuration I would like to avoid. Having a local template cache seems like a nice sweet spot.
I have searched for /etc/qubes/post-install.d, but could barely find anything… Is it possible at all to use apt in these scripts? That README in same directory states
All executable files with .sh suffix in this directory will be executed as
root just after template installation or update. Template VM may
not have access to the network at this time yet.
I don’t understand the last sentence: Of course template don’t have direct network access, since they shouldn’t be assigned a netvm. Isn’t that what update proxy is used for anyway?
apt-cacher-ng doesnt fit with what @riverboat wants to do. They were quite
specific in their requirements, and it isnt clear how apt-cacher-ng
would help. They want to cache the packages in the template, not in a
caching proxy.
There are three issues with @riverboat’s approach:
apt is not recommended for scripting. Use apt-get or lower level apt calls.
By default the archives in /var/cache/apt/archives are cleaned after an apt operation.
This is set by /etc/apt/apt.conf.d/10no-cache.
It would be possible to work round this by removing that file so that
packages are cached in the template. This is somewhat inefficient.
A better approach would be to switch on caching for the call, like this: apt-get upgrade -d -o APT::Keep-Downloaded-Packages="1" -y -q -q PACKAGE_LIST
10-apt-download-only.sh will always fail when called within /etc/qubes/post-install.d because the calling apt operation is still
running, so that the new call to apt cannot get a lock for dpkg.
I dont see a clean way round this.
You could try forking to the new call and using some sleep in the hope
that the original apt operation would have terminated. The issue there
would be that if called from a Qubes update operation, the template
would likely be shut down before the updated packages could be
downloaded. Difficult.
In sum, I dont see any simple or reliable way of using post-install hooks.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
I think above issue will be a show stopper, until there is a way for “Qubes Update” to wait for running processes hooked from /etc/qubes/post-install.d. Same goes for scripts in /rw/config/rc.local.