Qubes Update utility and command line documentation use different commands

Summary

Before I open an issue, is there a reason the command line qubesctl command to update dom0 is different from the one used in the Qubes Update utility?

Explanation

Based on this thread, I was inspired to investigate the differences between the graphical Qubes Update utility and the command line salt states.

Command line salt states

The documentation mentions two commands:

To update dom0 (from dom0):
sudo qubesctl --show-output state.sls update.qubes-dom0

To update templates (from dom0):
sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm

Graphical Qubes Update:

Within the Qubes Update source code, two commands are available in the perform_update function:

For an AdminVM (dom0):

# sudo qubesctl --dom0-only --no-color pkg.upgrade refresh=True
['sudo', 'qubesctl', '--dom0-only', '--no-color', 'pkg.upgrade', 'refresh=True']

For other templates:

# sudo qubesctl --skip-dom0 --targets=<TEMPLATE_NAME> --show-output state.sls update.qubes-vm
['sudo', 'qubesctl', '--skip-dom0', '--targets=' + row.vm.name, '--show-output', 'state.sls', 'update.qubes-vm']

Discussion

Regular templates

For regular templates, the commands are very similar. The command line version:
sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
applies configuration and updates all the regular templates at once (limited by the default max-concurrency).

The Qubes Update version:
sudo qubesctl --skip-dom0 --targets=<TEMPLATE_NAME> --show-output state.sls update.qubes-vm
applies the same configuration and updates to each of the checked templates one at a time as part of a loop.

I feel these commands get the same job done.

dom0

For the dom0 commands, the command line:
sudo qubesctl --show-output state.sls update.qubes-dom0
applies configuration, cleans cache, and updates packages.

However, the Qubes Update command:
sudo qubesctl --dom0-only --no-color pkg.upgrade refresh=True
seems to be a direct salt-call of the forked Qubes OS version of salt.modules.yumpkg.

While the command line update.qubes-dom0 state will end up calling the same pkg.upgrade execution module (through the pkg.uptodate state module), I am unable to locate where Qubes Update would apply new configuration. I thought it might be through the qubesctl command itself with this line, but I believe the module it is attempting to import was eliminated a long time ago.

In short, how does the graphical Qubes Update utility apply new configuration changes to dom0 if it is not utilizing the same update.qubes-dom0 Salt state?

1 Like

Good question. Perhaps @marmarek or @unman might be able to steer us in the right direction here.