Summary
Before I open an issue, is there a reason the command line qubesctl command to update dom0 is different from the one used in the Qubes Update utility?
Explanation
Based on this thread, I was inspired to investigate the differences between the graphical Qubes Update utility and the command line salt states.
Command line salt states
The documentation mentions two commands:
To update dom0 (from dom0):
sudo qubesctl --show-output state.sls update.qubes-dom0
To update templates (from dom0):
sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
Graphical Qubes Update:
Within the Qubes Update source code, two commands are available in the perform_update function:
For an AdminVM (dom0):
# sudo qubesctl --dom0-only --no-color pkg.upgrade refresh=True
['sudo', 'qubesctl', '--dom0-only', '--no-color', 'pkg.upgrade', 'refresh=True']
For other templates:
# sudo qubesctl --skip-dom0 --targets=<TEMPLATE_NAME> --show-output state.sls update.qubes-vm
['sudo', 'qubesctl', '--skip-dom0', '--targets=' + row.vm.name, '--show-output', 'state.sls', 'update.qubes-vm']
Discussion
Regular templates
For regular templates, the commands are very similar. The command line version:
sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
applies configuration and updates all the regular templates at once (limited by the default max-concurrency).
The Qubes Update version:
sudo qubesctl --skip-dom0 --targets=<TEMPLATE_NAME> --show-output state.sls update.qubes-vm
applies the same configuration and updates to each of the checked templates one at a time as part of a loop.
I feel these commands get the same job done.
dom0
For the dom0 commands, the command line:
sudo qubesctl --show-output state.sls update.qubes-dom0
applies configuration, cleans cache, and updates packages.
However, the Qubes Update command:
sudo qubesctl --dom0-only --no-color pkg.upgrade refresh=True
seems to be a direct salt-call of the forked Qubes OS version of salt.modules.yumpkg.
While the command line update.qubes-dom0 state will end up calling the same pkg.upgrade execution module (through the pkg.uptodate state module), I am unable to locate where Qubes Update would apply new configuration. I thought it might be through the qubesctl command itself with this line, but I believe the module it is attempting to import was eliminated a long time ago.
In short, how does the graphical Qubes Update utility apply new configuration changes to dom0 if it is not utilizing the same update.qubes-dom0 Salt state?