@unman : I am still confused on some of the internals.
Wanting to reply on a forum thread, and not having installed anything under my disp sys-net for a while, I wanted to install wireshark there in current session to install additional tools I needed just for that session…
And fell into another rabbit hole.
First, as I normally am able to do with current setup on other qubes:
[user@sys-net ~]$ sudo dnf update
Fedora 36 - x86_64 11 B/s | 547 B 00:48
Errors during downloading metadata for repository 'fedora':
- Status code: 500 for http://HTTPS///mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64&protocol=http&protocol=http (IP: 127.0.0.1)
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Status code: 500 for http://HTTPS///mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64&protocol=http&protocol=http (IP: 127.0.0.1)
Hmm?
[user@dom0 ~]$ qvm-service sys-net
clocksync on
qubes-update-check on
updates-proxy-setup on
Ok…
Let’s compare with sys-firewall, which works:
[user@sys-firewall ~]$ sudo dnf update
Fedora 36 openh264 (From Cisco) - x86_64 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository 'fedora-cisco-openh264':
- Curl error (56): Failure when receiving data from the peer for https://codecs.fedoraproject.org/openh264/36/x86_64/os/repodata/repomd.xml [Received HTTP code 403 from proxy after CONNECT]
Error: Failed to download metadata for repo 'fedora-cisco-openh264': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Fedora 36 - x86_64 - Updates 15 MB/s | 28 MB 00:01
^C^C^C^C^C^C^C^C^C^CKeyboardInterrupt: Terminated.
[user@dom0 ~]$ qvm-service sys-firewall
qubes-update-check on
updates-proxy-setup on
Any explanation on this?
[user@dom0 ~]$ sudo cat /etc/qubes/policy.d/30-user.policy
qubes.UpdatesProxy * @anyvm @default allow target=cacher
#qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
#qubes.UpdatesProxy * @type:AppVM @default allow target=cacher
#qubes.UpdatesProxy * @type:TemplateVM @default allow target=cacher
[user@sys-net ~]$ wget 127.0.0.1:8082
--2022-10-17 14:03:14-- http://127.0.0.1:8082/
Connecting to 127.0.0.1:8082... connected.
HTTP request sent, awaiting response... 403 Filtered
2022-10-17 14:03:14 ERROR 403: Filtered.
[user@sys-firewall ~]$ wget 127.0.0.1:8082
--2022-10-17 14:03:42-- http://127.0.0.1:8082/
Connecting to 127.0.0.1:8082... connected.
HTTP request sent, awaiting response... 406 Usage Information
2022-10-17 14:03:42 ERROR 406: Usage Information.
I would have expected to have the same behavior between sys-firewall and sys-net.
Another question: how to change the default of a qvm-service? I recently created a new qube, and that qube doesn’t have updates-proxy-setup by default.
As we discussed before, I do not really see how a qube having qubes-update-check service on, depending on cacher to be able to provide package list to notify dom0 could be able to do so without having updates-proxy-setup also enabled.
Consequently, for the usage I do of cacher, permitting me to install softwares I can sporadically need to have into sys-net or other disposable, I want my qubes to be able to report for templates available updates when I use them, as well as being able to have any qube I use be able to install software in them, since I am well aware, from my use case, that those won’t survive reboot as well. And for that, I would love to have updates-proxy-setup enabled by default unless I deactivate those manually.
How to accomplish this?