Issues with apt-cacher-ng

@unman : I am still confused on some of the internals.

Wanting to reply on a forum thread, and not having installed anything under my disp sys-net for a while, I wanted to install wireshark there in current session to install additional tools I needed just for that session…

And fell into another rabbit hole.

First, as I normally am able to do with current setup on other qubes:

[user@sys-net ~]$ sudo dnf update
Fedora 36 - x86_64                                                                                                                       11  B/s | 547  B     00:48    
Errors during downloading metadata for repository 'fedora':
  - Status code: 500 for http://HTTPS///mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64&protocol=http&protocol=http (IP: 127.0.0.1)
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Status code: 500 for http://HTTPS///mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64&protocol=http&protocol=http (IP: 127.0.0.1)

Hmm?

[user@dom0 ~]$ qvm-service sys-net 
clocksync            on
qubes-update-check   on
updates-proxy-setup  on

Ok…
Let’s compare with sys-firewall, which works:

[user@sys-firewall ~]$ sudo dnf update
Fedora 36 openh264 (From Cisco) - x86_64                                                                                                0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'fedora-cisco-openh264':
  - Curl error (56): Failure when receiving data from the peer for https://codecs.fedoraproject.org/openh264/36/x86_64/os/repodata/repomd.xml [Received HTTP code 403 from proxy after CONNECT]
Error: Failed to download metadata for repo 'fedora-cisco-openh264': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Fedora 36 - x86_64 - Updates                                                                                                             15 MB/s |  28 MB     00:01    
^C^C^C^C^C^C^C^C^C^CKeyboardInterrupt: Terminated.
[user@dom0 ~]$ qvm-service sys-firewall
qubes-update-check   on
updates-proxy-setup  on

Any explanation on this?

[user@dom0 ~]$ sudo cat /etc/qubes/policy.d/30-user.policy 
qubes.UpdatesProxy  *  @anyvm  @default  allow target=cacher
#qubes.UpdatesProxy  *  @tag:whonix-updatevm    @default    allow target=sys-whonix
#qubes.UpdatesProxy  *  @type:AppVM  @default  allow target=cacher
#qubes.UpdatesProxy  *  @type:TemplateVM  @default  allow target=cacher
[user@sys-net ~]$ wget 127.0.0.1:8082
--2022-10-17 14:03:14--  http://127.0.0.1:8082/
Connecting to 127.0.0.1:8082... connected.
HTTP request sent, awaiting response... 403 Filtered
2022-10-17 14:03:14 ERROR 403: Filtered.
[user@sys-firewall ~]$ wget 127.0.0.1:8082
--2022-10-17 14:03:42--  http://127.0.0.1:8082/
Connecting to 127.0.0.1:8082... connected.
HTTP request sent, awaiting response... 406 Usage Information
2022-10-17 14:03:42 ERROR 406: Usage Information.

I would have expected to have the same behavior between sys-firewall and sys-net.

Another question: how to change the default of a qvm-service? I recently created a new qube, and that qube doesn’t have updates-proxy-setup by default.
As we discussed before, I do not really see how a qube having qubes-update-check service on, depending on cacher to be able to provide package list to notify dom0 could be able to do so without having updates-proxy-setup also enabled.

Consequently, for the usage I do of cacher, permitting me to install softwares I can sporadically need to have into sys-net or other disposable, I want my qubes to be able to report for templates available updates when I use them, as well as being able to have any qube I use be able to install software in them, since I am well aware, from my use case, that those won’t survive reboot as well. And for that, I would love to have updates-proxy-setup enabled by default unless I deactivate those manually.

How to accomplish this?