I am trying to install a community template (in the form of a .rpm) inside of a non-dom0 management qube using qvm-template install <.rpm> but I am running into what seems to be permission problems, but I am not sure why.
qvm-template install <.rpm> --nogpgcheck --verbose
Traceback (most recent call last):
File "/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_template_postprocess.py", line 314, in post_install
import_root_img(vm, args.dir)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_template_postprocess.py", line 124, in import_root_img
vm.volumes['root'].import_data_with_size(
^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/qubesadmin/vm/__init__.py", line 253, in volumes
volumes_list = self.qubesd_call(
self._method_dest, 'admin.vm.volume.List')
File "/usr/lib/python3.13/site-packages/qubesadmin/base.py", line 76, in qubesd_call
return self.app.qubesd_call(dest, method, arg, payload,
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
payload_stream)
^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/qubesadmin/app.py", line 912, in qubesd_call
raise qubesadmin.exc.QubesDaemonAccessError(
'Service call error: %s', stderr.decode())
qubesadmin.exc.QubesDaemonAccessError: Service call error: Request refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/qvm-template-postprocess", line 5, in <module>
sys.exit(main())
~~~~^^
File "/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_template_postprocess.py", line 450, in main
loop.run_until_complete(post_install(args))
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete
return future.result()
~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_template_postprocess.py", line 318, in post_install
del app.domains[vm.name]
~~~~~~~~~~~^^^^^^^^^
File "/usr/lib/python3.13/site-packages/qubesadmin/app.py", line 147, in __delitem__
self.app.qubesd_call(key, 'admin.vm.Remove')
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/qubesadmin/app.py", line 912, in qubesd_call
raise qubesadmin.exc.QubesDaemonAccessError(
'Service call error: %s', stderr.decode())
qubesadmin.exc.QubesDaemonAccessError: Service call error: Request refused
I’ve created a specific policy file in dom0 for the installation: /etc/qubes/policy.d/1-template-installation.policy that contains:
admin.vm.Create.TemplateVM * temporary-install-qube dom0 allow
admin.property.Get +updatevm temporary-install-qube dom0 allow
admin.vm.List * temporary-install-qube dom0 allow
admin.vm.volume.List * temporary-install-qube * allow
I have also added the following to the /etc/qubes/policy.d/include/admin-glocal-ro file
temporary-install-qube @tag:created-by-temporary-install-qube allow target=dom0
and inside /etc/qubes/policy.d/include/admin-local-rwx
temporary-install-qube @tag:created-by-temporary-install-qube allow target=dom0
These were added through trial and error (and also inspired by looking at the ansible repo GitHub - deeplow/qubes-ansible: Ansible module and connection plugin for Qubes OS · GitHub).
I no longer get a popup saying permission denied when running qvm-template install nor is there any logged message in dom0 journalctl which implies something was denied.
Yet the python stack trace seems to imply that a permission has been denied.