Updating dom0 does not work on new 4.1 install

yanakieff · May 31, 2022, 8:21am

I follow the update Qubes article and using the first command:

sudo qubesctl --show-output state.sls update.qubes-dom0

I get:

[WARNING ] /usr/lib/python3.8/site-packages/salt/utils/files.py:396: RuntimeWarning: line buffering (buffering=1) isn’t supported in binary mode, the default buffer size will be used
f_handle = open(*args, **kwargs) # pylint: disable=resource-leakage

and then nothing else happen.

I checked firewall log, here what is there:

handle_execute_service: couldn’t invoke qrexec-policy-daemon, using qrexec-policy-exec
connect_daemon_socket: connection to socket failed: connection refused
qrexec-daemon.c:589:handle_cmdline_body_from_client: connection with ident not requested or already handled
ioall.c:75:read_all: EOF
qrexec-client.c: 318: negoriate_connection_params: read daemon success
sys-firewall → dom0: error while executing: qrexec-client failed [’/usr/lib/qubes/qrexec-client’, ‘-d’, ‘dom0’, ‘-c’, ‘SOCKET12,sys-firewall,6’, ‘-E’, ‘QUBERPC qubes.WIndowIconUpdate+ sys-firewall keyword adminvs’]
qrexec-daemon.c: 695:reap-children: qrexec-policy-exec for connetion SOCKET12 exited with code 1, but the response (allow) was already sent

tzwcfq · May 31, 2022, 10:53am

Did you perform an in-place upgrade from Qubes 4.0 to Qubes 4.1? Or do you have clean Qubes 4.1 installation?
Did you restore old Qubes 4.0 template from backup and use it for your sys-firewall?

yanakieff · June 1, 2022, 7:03am

No, fresh 4.1 install. Installed whonix at the beginning, but now is stopped (if that could potentially mess the settings)

Global settings update setting is set to sys-firewall.

Posting some results I made, following some posts from people with updates issue. I do not know how much they are connected.

My qubes.UpdatesProxy file shows only two lines:

$tag:whonix-updatevm $default allow, target=sys-whonix
$tag:whonix-updatevm $anyvm deny

Using:

sudo systemctl status qubes-updates-proxy.service

in sys-firewall shows inactive(dead).

qubes-prefs in dom0 shows updatevm to be sys-firewall.

tzwcfq · June 1, 2022, 11:32am

This is normal if you have default updatevm for templates that is set here:
cat /etc/qubes/policy.d/90-default.policy | grep UpdatesProxy
Policies in /etc/qubes-rpc/policy/ have higher priority than policies in /etc/qubes/policy.d/90-default.policy.
Do you have sys-firewall set as UpdatesProxy for @type:TemplateVM or is it sys-net?
But anyway it’s a setting that specify which netvm to use as updatevm for template updates and shouldn’t be related to your issue with dom0 updates as it’s using another setting to specify which netvm to use as updatevm for dom0 in global settings.

Maybe you’re missing qubes-updates-proxy service for sys-firewall. Try to add it in sys-firewall Qubes Settings.

If it won’t work then what if you create new qube sys-firewall2 with Provides network option enabled and try to set it as updatevm for dom0 in Qubes Global Settings?
Also add the qubes-updates-proxy service in the Qubes Settings for your sys-firewall2.
Will you have the same error?
Maybe your sys-firewall qube is broken for some reason.

dom0 · June 2, 2022, 3:29am

The QubesOS Documentation has a warning about how best to perform updates and recommends that you run two different commands, one after the other:

sudo qubesctl --show-output state.sls update.qubes-dom0 && sudo qubes-dom0-update --clean -y

I get this same warning, but it successfully updates after a minute or so, depending on how many updates are available. Does the CPU usage of your dom0 and updatevm rise and fluctuate after running the dom0 update command?

To @tzwcfq and others, do you not see the same warning when running the dom0 update command?

tzwcfq · June 2, 2022, 5:50am

I have this warning as well:

github.com/QubesOS/qubes-issues

Python Warning @ dom0 update

opened 07:33AM - 11 May 22 UTC

johnnyboy-3

T: bug P: major C: mgmt needs diagnosis C: updates

### Qubes OS release R4.1 ### Brief summary Manually updating dom0 …by cli gives a python line buffering warning, and a bogus cache cleaning warning in the output ``` # sudo qubesctl --show-output state.sls update.qubes-dom0 [WARNING ] /usr/lib/python3.8/site-packages/salt/utils/files.py:396: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used f_handle = open(*args, **kwargs) # pylint: disable=resource-leakage local: ---------- ID: /etc/yum.repos.d/qubes-dom0.repo Function: file.replace Result: True Comment: No changes needed to be made Started: 09:20:44.495878 Duration: 14.632 ms Changes: ---------- ID: /etc/yum.repos.d/qubes-templates.repo Function: file.replace Result: True Comment: No changes needed to be made Started: 09:20:44.510676 Duration: 2.045 ms Changes: ---------- ID: update Function: cmd.run Name: if qubes-dom0-update --quiet --assumeyes --clean --action=clean expire-cache >/dev/null 2>&1; then echo "result=True comment='Cache cleaned'" else echo "result=False comment='Could not clean cache'" fi Result: True Comment: Cache cleaned Started: 09:20:44.514937 Duration: 3851.347 ms Changes: ---------- ID: update Function: pkg.uptodate Result: True Comment: System is already up-to-date Started: 09:20:49.789651 Duration: 203855.47 ms Changes: Summary for local ------------ Succeeded: 4 Failed: 0 ------------ Total states run: 4 Total run time: 207.723 s ``` ### Steps to reproduce Run `sudo qubesctl --show-output state.sls update.qubes-dom0` in dom0 using terminal ### Expected behavior No warnings and a proper update message ### Actual behavior Python warning & bogus cache cleaning bash script except

But after running this command:
sudo qubesctl --show-output state.sls update.qubes-dom0
There should be some output at the end even if there are no updates.

yanakieff · June 3, 2022, 11:33am

Yes, it did show the log after the python warning, needed to wait a little bit longer. It says 39000ms. Not the 207ms from the post.

In the sys-firewall settings in the services tab I don’t have services listed.

Policies in /etc/qubes-rpc/policy/ have higher priority than policies in /etc/qubes/policy.d/90-default.policy .

The qubes.UpdatesProxy in qubes-rpc/policy is the one I posted. And the 90-default.policy looks like that:

Upgrade all TemplateVMs through sys-wnonix.
qubesUpdatesProxy * @type:TemplateVM @default allow target=sys-whonix
Upgrade all Whonix TemplateVMs through sys-wnonix.
qubesUpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
Deny Whonix TemplateVMs using UpdateProxy of any other VM.
qubesUpdatesProxy * @tag:whonix-updatevm @anyvm deny
Default rule for all TemplateVMs - direct the connection to sys-net
qubesUpdatesProxy * @type:TemplateVM @default allow target=sys-net
qubesUpdatesProxy * @anyvm @anyvm deny

Using:

sudo systemctl status qubes-updates-proxy.service

in firewall, besides shows it is inactive, it says:

systemd[1]: Condition check resulted in Qubes updates proxy (tinyproxy) being skipped.

tzwcfq · June 3, 2022, 11:54am

It seems that you’ve removed # symbols before posting.
But if you didn’t change the file then you have sys-net as your updatevm for template updates:
qubesUpdatesProxy * @type:TemplateVM @default allow target=sys-net
You can change it to sys-firewall if you need.

It seems that qubes-updates-proxy service is not enabled for sys-firewall.
Add qubes-updates-proxy service in sys-firewall Services tab in Qube Settings.
You can read more info about it here:
How to install software | Qubes OS

yanakieff · June 3, 2022, 12:06pm

The # are in the file, just didn’t wrote them.

sudo systemctl list-unit-files | grep qubes says it is, presumably.

In the services tab there is nothing in the drop-down menu, except (custom). Below is blank. No added services. Should there be something by default here?

tzwcfq · June 3, 2022, 12:19pm

There seems to be some peculiarities with disposable qubes and they don’t have default Qubes services listed in Services tab like other AppVMs based on TemplateVMs.
Just select (custom...) in Services tab, press Add and type qubes-updates-proxy there.

yanakieff · June 10, 2022, 11:25am

That didn’t change anything.

But I continued with the other steps from the update guide.

Some things updated, I think.

Thanks, for your time. Again.