I ran “sudo dnf update” in Qubes 4.1 in a console of a fedora template and noticed that it only starts the qube sys-net but not sys-firewall. Consequently, the updates are obtained directly from sys-net.
No, in Qubes Global Settings I have set as net qube “sys-firewall”, as dom0 update qube also “sys-firewall” and as clock qube “sys-net”. Where do you think the error is?
Hmm, then it could be normal, that you see ‘sys-net’ entries in your logs…
What if you change the updateVM to sys-whonix ? Or can’t you set that, because you don’t have the whonix’es installed…?
Even if you configure something else instead of sys-net (or sys-whonix) as the updates proxy VM, its traffic still has to pass through sys-net (or sys-whonix, respectively)… The main difference appears to be that the updates proxy VM knows
some download connection is definitely related to an update;
the name of the template, e.g. fedora-35-my-interesting-clone.
I’m not too worried about (1) but (2) is awkward, so I use a dedicated named DisposableVM as the qubes.UpdatesProxy policy target. (Whatever qube is used for that also needs to have the qubes-updates-proxy service enabled.)
Update proxy is running in sys-net, as far as I know (you can check it in /etc/qubes-rpc/policy/qubes.UpdatesProxy), and communication between template and sys-net is done via RPC/qrexec, which is absolutely safe.
Update proxy is running in sys-net, as far as I know (you can check it in /etc/qubes-rpc/policy/qubes.UpdatesProxy ),
No, in /etc/qubes-rpc/policy/qubes.UpdatesProxy it doesn’t say anything about sys-net for me, only about sys-whonix, although Qubes updates are not done via Tor network.
and your statement directly from sys-net would still be wrong. It’s not directly, as I pointed out. Template gets its updates from sys-net via RPC/qrexec. Directly would be if you’d set sys-net as netVm for a template, which is exactly what one wouldn’t want to do.
Why would you expect your updates come from sys-firewall if it’s not set in qubes.UpdatesProxy and why do you think it would be safer if it comes from sys-firewall (again - not “directly” but via RPC/qrexec)?
I think it’s not over the Tor network because neither sys-whonix nor sys-firewall start when I run “sudo apt-get update” or “sudo dnf update” respectively in fedora-34 or debian-11. But an internet connection seems to exist, because the commands work.
True - but you have not provided any reason to suppose that this wont
happen.
The lines you quoted show that templates tagged with whonix-updatevm
will use sys-whonix. Nothing more.
In 4.1 the policy files have changed.
This has been covered in other threads, and pointed to by rustybird.
Look at /etc/qubes/policy.d/90-default.policy, where you will find the
default target to be sys-net.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.