After installing the cacher qube through qubes-task-gui
, when trying to update any whonix qube I was seeing:
Updating whonix-gateway-17
Refreshing package info
Refreshing packages.
Fail to refresh InRelease: tor+https://deb.whonix.org bookworm InRelease from tor+https://deb.whonix.org/dists/bookworm/InRelease
Fail to refresh InRelease: tor+https://deb.kicksecure.com bookworm InRelease from tor+https://deb.kicksecure.com/dists/bookworm/InRelease
<...>
E:Failed to fetch tor+https://deb.debian.org/debian/dists/bookworm/InRelease
Could not connect to 127.0.0.1:8082 (127.0.0.1).
- connect (113: No route to host),
<...>
E:Some index files failed to download. They have been ignored, or old ones used instead.
Here’s /etc/qubes/policy.d/50-config-updates.policy
before installation:
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
Here it is after installation of cacher:
qubes.UpdatesProxy * @type:TemplateVM @default allow target=cacher
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
Looks like the added policy line matches all templates, including whonix templates, even though those can’t update through the cacher because of their tor+https://
apt specifications.
An easy fix is to put the cacher policy line after the whonix lines:
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
qubes.UpdatesProxy * @type:TemplateVM @default allow target=cacher
Whonix updates now succeed.