Question on qubes-dom0-update


usually I am using the GUI to update the system.

But just now I tried to update QubesOS via the terminal. The command I entered was sudo qubes-dom0-update (otherwise there is a “permission denied” error). The output in the terminal says using sys-firewall as UpdateVM to download updates for Dom0; this may take some time....

A new terminal window opens, green color indicating it is in the context of the sys-firewall-qube. While a regular terminal opened in sys-firewall will display [sys-firewall] user@sys-firewall:~ this window displays [sys-firewall] sh

The terminal just shows one line:
Fedora 32 – x86_64

I was weirded out, so I have stopped the update.

Did anybody on here come across this? Might be totally benign, I was irritated by Fedora 32

Unless I’ve missed something, sounds like reasonably normal behavior given that sys-firewall has been selected as “Dom0 update qube” within “Qubes Global Settings”.

AFAIK, in order to run the update command from dom0’s CLI, the qubes-dom0-update CMD currently requires something like this:

$ sudo qubes-dom0-update --releasever=4.1

(Change the release version accordingly if you are running r4.0.)


really appreciate you answering so quickly @cayce.

1 Like

De nada; bang that “solved” button if it’s worked out for ya! :hugs:

Yes, that and its command-line equivalents are the currently-recommended update methods:

That’s all normal and expected, AFAIK.

It’s possible that you either didn’t wait long enough or that it got stuck for some reason. It would be fine to try again (maybe after restarting sys-firewall just in case).

I’ve never had to do that. qubes-dom0-update appears to work normally for me without the --releasever=4.1. I do see a warning or notification that states: Unable to detect release version (use '--releasever' to specify release version). However, it doesn’t appear to impede the normal update process (unless, of course, the update process is actually failing in some non-obvious way while giving me normal-looking output). In any case, I’ve just opened #8092 for this message.


When I want to do a total QubesOS update on the terminal, I use the following commands:

(dom0) $ sudo qubesctl --show-output state.sls update.qubes-dom0 && 
         sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm

This updates the dom0 and all the other templates alright.

What is the difference between what I do and the sudo qubes-dom0-update command?

The difference is that you are updating qubes as well as dom0 - I guess
you knew that.
The salt states may be used to make configuration or security changes
also, whereas qubes-dom0-update is a static update script.
(N.B Qubes is moving away from salt for the update process.)

Where can I read more about this?

I agree; this is a “yikes!” because I finally got it working to the point where I can just enter ONE command and all templates (well, all templates I built with salt) get updated. In fact it’s one of the few things I can do that doesn’t need a shell script to call salt (though I still do so because I can never remember the doggone qubesctl command syntax).

1 Like

See, e.g., the comments on this issue: