Sudo apt update starting/using default sys-net

tdluhubohapbtisbfj · August 4, 2022, 7:30pm

When running sudo apt update in a debian template it uses sys-net.

Or in my case attempts to use it. I’m using a different vm for networking so it starts up sys-net instead. I’d rather this use my sys-vpn (which is connected to firewall > sys-net2) and is added as a netvm to the debian template

For some reason running this command starts a sys-net vm. This means sys-net can be made to run from within a different vm.

It also may mean that if I was allowing traffic through sys-net traffic can flow through this despite me not allowing it to do so.

Qubes vm update also fails with

Invalid response from proxy: HTTP/1.0 500 Unable to connect  Server

I’ve also set mt dom0 update vm to use sys-vpn

Anyone know why this happens and is it a security risk?

DVM · August 4, 2022, 7:45pm

Can you paste here the content of /etc/qubes-rpc/policy/qubes.UpdatesProxy (in dom0)?

tdluhubohapbtisbfj · August 4, 2022, 7:58pm

This file doesn’t exist, I can see ClipboardPaste, InputTablet, GatewayCommand and more files but no .UpdatesProxy or anything like that @DVM

DVM · August 4, 2022, 8:09pm

Try to do the following in dom0:

sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy

Paste the following in it, save and exit:

$type:TemplateVM $default allow,target=sys-vpn

sudo chown root.qubes /etc/qubes-rpc/policy/qubes.UpdatesProxy
Open sys-vpn settings, click on Services and add qubes-updates-proxy
Restart sys-vpn

Try to update a template again and see if it works.

tdluhubohapbtisbfj · August 4, 2022, 8:14pm

Works fine now, ty! Not sure, why this isn’t the default, when I think about it I must have used/been using sys-net many times when I updated before as I was using the default sys-net. Is this a risk?

DVM · August 4, 2022, 8:18pm

If you were using sys-net before, it means it’s possible you used your real IP address to upgrade packages. I don’t think it’s an issue unless you really don’t want your ISP to know you are using Qubes OS.

Also, to follow Qubes OS idea, you could create a dedicated AppVM named sys-upgrade for example and replace sys-vpn by it. It means only this VM will be used to upgrade and not sys-vpn directly. Set its netvm to sys-vpn and you are good (everything will go trough the vpn).

tdluhubohapbtisbfj · August 4, 2022, 8:23pm

There’s no possibility of a MITM attack?

DVM · August 4, 2022, 8:24pm

All repos should use https on Fedora and Debian, so you have nothing to worry about.

tdluhubohapbtisbfj · August 4, 2022, 8:26pm

Ok ty

unman · August 6, 2022, 10:56am

Also, all packages are signed by Qubes key, and in Debian the
repositories are signed. (Not sure of current status of signed Fedora
repositories.)

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

tdluhubohapbtisbfj · August 14, 2022, 8:55am

It would be great if there could be a setting to set this in qubes global settings, to force all update checks and updates through the vpn. I know dom0 updates can be set to go through a vpn.

I was operating under the assumption all my traffic is going through the vpn probably others are too so might make it easier

enmus · August 14, 2022, 10:51am

It’s not clear, but if you use Qubes 4.1 you should use /etc/qubes/policy.d/90-default.policy

Although old policy format will still be supported until at least Qubes 5.0, you should consider to start to use it already now keeping in mind it would most probably enable easier transition to 5.0

whoami · October 3, 2022, 3:50pm

I renamed my sys-net to network-dvm,

made a new policy file /etc/qubes/policy.d/30-user.policy and added:

qubes.UpdatesProxy * @type:TemplateVM @default allow target=network-dvm

(replace allow target=sys-net with allow target=network-dvm)

Verified that updates working for templateVMs.

But now I wonder where to set the updates for standaloneVMs?

enmus · October 3, 2022, 4:07pm

How to update standalones

whoami · October 3, 2022, 4:12pm

Ok, so it is listed in the Qubes Update (tool) but standaloneVMs cannot be update by the Qubes Update, am I right?

whoami · October 3, 2022, 4:17pm

Oh, I am sorry!

I worked on three parts in parallel (which is never a good idea). I created a new disposable network … forgot that my testing standaloneVM was set to none network.

I have to apologize my foolishness.

enmus · October 3, 2022, 4:23pm

On the contrary, it’s useful to be here, because there will be others with the very same dilemma.
Btw, (at least fedora and debian based) standalones can be updated over qrexec. I have working examples.

whoami · October 3, 2022, 4:36pm

Interesting!

… but as you wrote

I have to finish my minimal debian template script first. I have already spent so many weekends on it (1000+ lines). I also learnt so much Qubes / Linux / Bash coding, … apt keys … but it is a very tough route to go.