Question on qubes-dom0-update

qubidoo · March 12, 2023, 3:53pm

Hi,

usually I am using the GUI to update the system.

But just now I tried to update QubesOS via the terminal. The command I entered was sudo qubes-dom0-update (otherwise there is a “permission denied” error). The output in the terminal says using sys-firewall as UpdateVM to download updates for Dom0; this may take some time....

A new terminal window opens, green color indicating it is in the context of the sys-firewall-qube. While a regular terminal opened in sys-firewall will display [sys-firewall] user@sys-firewall:~ this window displays [sys-firewall] sh

The terminal just shows one line:
Fedora 32 – x86_64

I was weirded out, so I have stopped the update.

Did anybody on here come across this? Might be totally benign, I was irritated by Fedora 32

cayce · March 12, 2023, 3:59pm

Unless I’ve missed something, sounds like reasonably normal behavior given that sys-firewall has been selected as “Dom0 update qube” within “Qubes Global Settings”.

AFAIK, in order to run the update command from dom0’s CLI, the qubes-dom0-update CMD currently requires something like this:

$ sudo qubes-dom0-update --releasever=4.1

(Change the release version accordingly if you are running r4.0.)

qubidoo · March 12, 2023, 4:00pm

really appreciate you answering so quickly @cayce.

cayce · March 12, 2023, 4:02pm

De nada; bang that “solved” button if it’s worked out for ya!

adw · March 13, 2023, 6:21am

Yes, that and its command-line equivalents are the currently-recommended update methods:

That’s all normal and expected, AFAIK.

It’s possible that you either didn’t wait long enough or that it got stuck for some reason. It would be fine to try again (maybe after restarting sys-firewall just in case).

I’ve never had to do that. qubes-dom0-update appears to work normally for me without the --releasever=4.1. I do see a warning or notification that states: Unable to detect release version (use '--releasever' to specify release version). However, it doesn’t appear to impede the normal update process (unless, of course, the update process is actually failing in some non-obvious way while giving me normal-looking output). In any case, I’ve just opened #8092 for this message.

tanky0u · March 13, 2023, 7:20am

When I want to do a total QubesOS update on the terminal, I use the following commands:

(dom0) $ sudo qubesctl --show-output state.sls update.qubes-dom0 && 
         sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm

This updates the dom0 and all the other templates alright.

What is the difference between what I do and the sudo qubes-dom0-update command?

unman · March 13, 2023, 1:34pm

The difference is that you are updating qubes as well as dom0 - I guess
you knew that.
The salt states may be used to make configuration or security changes
also, whereas qubes-dom0-update is a static update script.
(N.B Qubes is moving away from salt for the update process.)

tanky0u · March 14, 2023, 10:20am

Where can I read more about this?

SteveC · March 14, 2023, 4:40pm

I agree; this is a “yikes!” because I finally got it working to the point where I can just enter ONE command and all templates (well, all templates I built with salt) get updated. In fact it’s one of the few things I can do that doesn’t need a shell script to call salt (though I still do so because I can never remember the doggone qubesctl command syntax).

adw · March 14, 2023, 11:21pm

See, e.g., the comments on this issue:

github.com/QubesOS/qubes-issues

When a deprecated direct update command is used, inform the user of the recommended update method

opened 12:11AM - 07 Mar 23 UTC

andrewdavidwong

T: enhancement ux P: default C: updates

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## The problem you're addressing (if any) Many Qubes users have become accustomed, over the years, to using direct commands to perform routine updates, such as `qubes-dom0-update`, `dnf update`, and `apt update`. Even though this practice was deprecated long ago for security reasons (see #6275, https://github.com/QubesOS/qubes-posts/pull/79, and https://github.com/QubesOS/qubes-doc/commit/9eea4db0a62b7b7f70e3199e2abc095ada780cda), some users likely *still* aren't aware of it, since they would have to read the documentation or GitHub to learn of it. There is nothing in Qubes OS software itself that ever hints to them that they're using a deprecated method for routine updates. ### The solution you'd like Here's a simple version of the idea: When a direct update command is used, print a brief notification (but don't otherwise interfere with the action, since such commands are still sometimes necessary and appropriate in specific circumstances). ``` Note: The use of <DIRECT_UPDATE_COMMAND> is no longer recommended for routine updates. Please consider using the Qubes Update tool instead. For more information, see: https://www.qubes-os.org/doc/how-to-update/ ``` (Where `<DIRECT_UPDATE_COMMAND>` is the direct update command the user just executed, such as `qubes-dom0-update`, `dnf update`, or `apt update`.) If the recommended update method changes again with #7443, or if the name of the preferred tool changes, then this notification should be updated accordingly. Bonus points: Provide power users with a way to squelch the notification if they don't like seeing it. ### The value to a user, and who that user might be Users who aren't aware that they're using a deprecated method for routine updates will have a better chance of becoming aware *without* having to read documentation, announcements, or discussions outside of the system itself. In this way, this proposal is actually better than the PSA I had wanted to make (https://github.com/QubesOS/qubes-posts/pull/79).