Salt: How to install fedora minimal template with `qvm.template_installed`?

Qurious · May 28, 2022, 5:11pm

I am trying to use salt to install qubes-template-fedora-34-minimal to dom0, using the default repository.

But I don’t know what is the name of the default repository. I tried current but that doesn’t work.

I made a /srv/salt_user/template-fedora.sls file by adapting shaker/template-fedora-34-minimal.sls at main · unman/shaker · GitHub

template-fedora-minimal:
    qvm.template_installed:
        - name: qubes-template-fedora-34-minimal
        - fromrepo: current

Then I applied the state with:

[user@dom0 ~]$ sudo qubesctl state.apply \
    template-fedora-minimal saltenv=user

I get an error that says [Qrexec] Error: Unknown repo: 'current'.

What should be the name of the default repository?

Qurious · May 28, 2022, 5:48pm

If I delete the - fromrepo: current line in the .sls file, I get another error:

qvm-tempate: error: 
    Template `qubes-template-fedora-34-minimal` not found.

But I think qubes-template-fedora-34-minimal is the correct name of the template.

tzwcfq · May 28, 2022, 5:56pm

The name is qubes-templates-itl and you didn’t have to change it.

[user@dom0 ~]$ cat /etc/qubes/repo-templates/qubes-templates.repo
[qubes-templates-itl]
name = Qubes Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-templates-itl-testing]
name = Qubes Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl-testing
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl-testing
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl-testing/repodata/repomd.xml.metalink
enabled = 0
fastestmirror = 1
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-templates-community]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community
#metalink = https://yum.qubes-os.org/r$releasever/templates-community/repodata/repomd.xml.metalink
enabled = 0
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community

[qubes-templates-community-testing]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community-testing
#metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
enabled = 0
fastestmirror = 1
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community

Qurious · May 28, 2022, 6:08pm

Thanks!

I didn’t know I can check /etc/qubes/repo-templates/qubes-templates.repo

Qurious · May 28, 2022, 6:19pm

But I still get the same error:

template ‘qubes-template-fedora-34-minimal’ not found.

template-fedora-minimal
    qvm.template_installed:
        - name: qubes-template-fedora-34-minimal
        - fromrepo: qubes-templates-itl

Qurious · May 28, 2022, 6:30pm

When I use fedora-34-minimal, I don’t immediately get an error. The command is still running.

I get that name from [user@dom0 ~]$ qvm-template list

Qurious · May 28, 2022, 7:03pm

And I get a new error:

          ID: template-fedora-minimal
    Function: qvm.template_installed
        Name: fedora-34-minimal
      Result: False
     Comment: Failed to install template fedora-34-minimal. Additional info follows:
              
              Error canonicalizing file: Payload forged!
              Downloading 'qubes-template-fedora-34-minimal-0:4.0.6-202110020922'...
              ERROR: [Errno 2] No such file or directory: 
                  '/root/.cache/qvm-template/tmpxxxxxxx/qubes-template-
                      fedora-34-minimal-0:4.0.6-202110020922.rpm.UNTRUSTED'

tzwcfq · May 28, 2022, 7:05pm

This may be because of interrupted download.

Qurious · May 28, 2022, 7:09pm

How to fix that? This salt thing is super slow.

tzwcfq · May 28, 2022, 7:13pm

Just try to run salt again so it’ll download template again. I don’t know if there is a way to retry the partial download if it’s failed.

Qurious · May 28, 2022, 7:15pm

I apply the salt state again. When the command is still running, I check the /root/.cache/qvm-template/tmpxxxx/

The tmp folder is completely empty and I dont see the rpm for the fedora minimal template.

It is not downloading.

Usually, when I update the qubes, it would download things through whonix.

Maybe the salt method won’t work if the update has happened through whonix?

tzwcfq · May 28, 2022, 7:20pm

Do you see any network activity in sys-whonix → Nyx when you’re running salt state?
Also I don’t know about salt but qvm-template don’t download template in dom0 filesystem file but directly in stdout:

As for downloading - if the service would download directly to stdout,
instead of to file that is later send over another qrexec call

https://groups.google.com/g/qubes-devel/c/2XaMP4Us3kg/m/5U_0fca8BwAJ

Qurious · May 28, 2022, 7:28pm

how to do that?

xentop in dom0 says the NETS, NETTX(k), and NETRX(k) columns are all zeros for all VMs.

tzwcfq · May 28, 2022, 7:30pm

If your dom0 updatevm is sys-whonix then open Nyx app in sys-whonix. Or run nyx command in sys-whonix terminal.

Qurious · May 28, 2022, 7:33pm

Nyx in sys-whonix says it is downloading something.

tzwcfq · May 28, 2022, 7:40pm

You can wait until it finish or if it’ll fail you can check if the network activity in nyx will stop.

Qurious · May 28, 2022, 8:18pm

It worked. I deleted the fromrepo line.

But I feel it is much slower than directly running qubes-dom0-update. I haven’t timed qubes-dom0-update yet.

Qurious · May 28, 2022, 9:16pm

I removed the fedora-34-minimal template, following the instruction at Qube troubleshooting | Qubes OS

$ sudo qvm-remove fedora-34-minimal

And then I install it again…

$ sudo qubes-dom0-update qubes-template-fedora-34-minimal

And get the payload forged error. qubes-dom0-update is even slower than salt this time.

tzwcfq · May 29, 2022, 12:13am

If, on the other hand, the template came pre-installed or was installed by installing a template package in dom0, per the instructions above, then you must execute the following type of command in dom0 in order to uninstall it:
$ sudo dnf remove qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER>
qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER> is the name of the desired template package.