qubes-download-dom0-updates.sh gets confused by dns resolution issues

[adrelanos]

/usr/lib/qubes/qubes-download-dom0-updates.sh gets confused by dns resolution issues.

(This happened while using a Qubes-Whonix-Gateway.)

The problematic line seems to be.

UPDATES=`yum $OPTS check-update -q | cut -f 1 -d ' ' | grep -v "^Obsoleting"

It gets confused by lines such as.

http://yum.qubes-os.org/r3.0/current/dom0/fc20/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"

A related issue seems to be, that exit codes aren't checked in that script.

Fortunately, it looks like yum would exit non-zero (100) in such cases. So actually checking the exit codes before using output by yum could solve this issue.

Full xtrace.

sudo bash -x qubes-dom0-update

++ qubes-prefs --get updatevm
+ UPDATEVM=my-whonix-gw-standalone
+ UPDATES_STAT_FILE=/var/lib/qubes/updates/dom0-updates-available
+ '[' -z my-whonix-gw-standalone ']'
+ '[' '' = --help ']'
++ rpm -qa --qf '%{NAME},' 'qubes-template-*'
+ TEMPLATE_EXCLUDE_OPTS=--exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal,
+ PKGS=
+ YUM_OPTS=--exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal,
+ GUI=
+ CHECK_ONLY=
+ ALL_OPTS='--exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal, '
+ YUM_ACTION=
+ QVMRUN_OPTS=
+ CLEAN=
+ '[' 0 -gt 0 ']'
++ id -ur
+ ID=0
+ '[' 0 '!=' 0 -a -z '' -a -z '' ']'
+ '[' '' == 1 -a -n '' ']'
+ '[' '' == 1 ']'
+ '[' '' '!=' 1 ']'
+ QVMRUN_OPTS=--nogui
+ '[' '' == 1 ']'
+ '[' -n '' ']'
+ rm -f /var/lib/qubes/updates/errors
+ qvm-sync-clock
+ echo 'Using my-whonix-gw-standalone as UpdateVM to download updates for Dom0; this may take some time...'
Using my-whonix-gw-standalone as UpdateVM to download updates for Dom0; this may take some time...
+ qvm-run --nogui -a my-whonix-gw-standalone true
Running command on VM: 'my-whonix-gw-standalone'...
+ tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf
+ qvm-run -p my-whonix-gw-standalone 'LC_MESSAGES=C tar x -C /var/lib/qubes/dom0-updates 2>&1 | grep -v -E "s in the future"'
+ qvm-run --nogui --pass-io my-whonix-gw-standalone '/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui --exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal, '
+ DOM0_UPDATES_DIR=/var/lib/qubes/dom0-updates
+ DOIT=0
+ GUI=1
+ CLEAN=0
+ CHECK_ONLY=0
+ OPTS='--installroot /var/lib/qubes/dom0-updates --config=/var/lib/qubes/dom0-updates/etc/yum.conf'
+ PKGLIST=
+ YUM_ACTION=
+ export LC_ALL=C
+ LC_ALL=C
+ '[' -n --doit ']'
+ case "$1" in
+ DOIT=1
+ shift
+ '[' -n --nogui ']'
+ case "$1" in
+ GUI=0
+ shift
+ '[' -n --exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal, ']'
+ case "$1" in
+ OPTS='--installroot /var/lib/qubes/dom0-updates --config=/var/lib/qubes/dom0-updates/etc/yum.conf --exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal,'
+ shift
+ '[' -n '' ']'
+ '[' -z '' ']'
+ YUM_ACTION=upgrade
+ '[' -d /var/lib/qubes/dom0-updates ']'
+ mkdir -p /var/lib/qubes/dom0-updates/etc
+ sed -i '/^reposdir\s*=/d' /var/lib/qubes/dom0-updates/etc/yum.conf
+ '[' -e /etc/debian_version ']'
+ mkdir -p /var/lib/qubes/dom0-updates/home/user
+ ln -nsf /var/lib/qubes/dom0-updates/var/lib/rpm /var/lib/qubes/dom0-updates/home/user/.rpmdb
+ rm -f /var/lib/qubes/dom0-updates/var/lib/rpm/__db.001 /var/lib/qubes/dom0-updates/var/lib/rpm/__db.002 /var/lib/qubes/dom0-updates/var/lib/rpm/__db.003
+ rpm --root=/var/lib/qubes/dom0-updates --rebuilddb
+ '[' 0 = 1 ']'
+ '[' x = x ']'
+ echo 'Checking for dom0 updates...'
Checking for dom0 updates...
++ yum --installroot /var/lib/qubes/dom0-updates --config=/var/lib/qubes/dom0-updates/etc/yum.conf --exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal, check-update -q
++ cut -f 1 -d ' '
++ grep -v '^Obsoleting'
http://yum.qubes-os.org/r3.0/current/dom0/fc20/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
http://yum.qubes-os.org/r3.0/security-testing/dom0/fc20/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
http://yum.qubes-os.org/r3.0/templates-itl/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
+ UPDATES='Could
14:
Could
14:

qubes-core-dom0.x86_64
qubes-core-dom0-doc.noarch
qubes-core-dom0-linux.x86_64

qubes-core-dom0-linux-kernel-install.x86_64

xen.x86_64
xen-hvm.x86_64
xen-hypervisor.x86_64
xen-libs.x86_64
xen-licenses.x86_64
xen-runtime.x86_64'
+ '[' -z '' -a -z 'Could
14:
Could
14:

qubes-core-dom0.x86_64
qubes-core-dom0-doc.noarch
qubes-core-dom0-linux.x86_64

qubes-core-dom0-linux-kernel-install.x86_64

xen.x86_64
xen-hvm.x86_64
xen-hypervisor.x86_64
xen-libs.x86_64
xen-licenses.x86_64
xen-runtime.x86_64' ']'
+ '[' 0 = 1 ']'
+ '[' 1 '!=' 1 -a '' '!=' 1 ']'
+ YUM_COMMAND='fakeroot yum upgrade -y --downloadonly --downloaddir=/var/lib/qubes/dom0-updates/packages'
+ yum --help
+ grep -q downloadonly
+ '[' upgrade '!=' install -a upgrade '!=' upgrade ']'
+ '[' upgrade = upgrade ']'
+ PKGLIST='Could
14:
Could
14:

qubes-core-dom0.x86_64
qubes-core-dom0-doc.noarch
qubes-core-dom0-linux.x86_64

qubes-core-dom0-linux-kernel-install.x86_64

xen.x86_64
xen-hvm.x86_64
xen-hypervisor.x86_64
xen-libs.x86_64
xen-licenses.x86_64
xen-runtime.x86_64'
+ YUM_COMMAND='yumdownloader --destdir=/var/lib/qubes/dom0-updates/packages --resolve'
+ mkdir -p /var/lib/qubes/dom0-updates/packages
+ set -e
+ '[' 0 = 1 ']'
+ yumdownloader --destdir=/var/lib/qubes/dom0-updates/packages --resolve --installroot /var/lib/qubes/dom0-updates --config=/var/lib/qubes/dom0-updates/etc/yum.conf --exclude=qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-fedora-21,qubes-template-debian-8,qubes-template-jessie-minimal, Could 14: Could 14: qubes-core-dom0.x86_64 qubes-core-dom0-doc.noarch qubes-core-dom0-linux.x86_64 qubes-core-dom0-linux-kernel-install.x86_64 xen.x86_64 xen-hvm.x86_64 xen-hypervisor.x86_64 xen-libs.x86_64 xen-licenses.x86_64 xen-runtime.x86_64
http://yum.qubes-os.org/r3.0/current/dom0/fc20/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
http://yum.qubes-os.org/r3.0/security-testing/dom0/fc20/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
http://yum.qubes-os.org/r3.0/templates-itl/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
No Match for argument Could
No Match for argument 14:
No Match for argument Could
No Match for argument 14:
--> Running transaction check
---> Package qubes-core-dom0.x86_64 0:3.0.22-1.fc20 will be installed
---> Package qubes-core-dom0-doc.noarch 0:3.0.22-1 will be installed
---> Package qubes-core-dom0-linux.x86_64 0:3.0.15-1.fc20 will be installed
---> Package qubes-core-dom0-linux-kernel-install.x86_64 0:3.0.15-1.fc20 will be installed
---> Package xen.x86_64 2001:4.4.2-7.fc20 will be installed
---> Package xen-hvm.x86_64 2001:4.4.2gui3.0.0-7.fc20 will be installed
---> Package xen-hypervisor.x86_64 2001:4.4.2-7.fc20 will be installed
---> Package xen-libs.x86_64 2001:4.4.2-7.fc20 will be installed
---> Package xen-licenses.x86_64 2001:4.4.2-7.fc20 will be installed
---> Package xen-runtime.x86_64 2001:4.4.2-7.fc20 will be installed
--> Finished Dependency Resolution
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/qubes-core-dom0-3.0.22-1.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg qubes-core-dom0-3.0.22-1.fc20.x86_64: failure: rpm/qubes-core-dom0-3.0.22-1.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/qubes-core-dom0-doc-3.0.22-1.noarch.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg qubes-core-dom0-doc-3.0.22-1.noarch: failure: rpm/qubes-core-dom0-doc-3.0.22-1.noarch.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/qubes-core-dom0-linux-3.0.15-1.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg qubes-core-dom0-linux-3.0.15-1.fc20.x86_64: failure: rpm/qubes-core-dom0-linux-3.0.15-1.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/qubes-core-dom0-linux-kernel-install-3.0.15-1.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg qubes-core-dom0-linux-kernel-install-3.0.15-1.fc20.x86_64: failure: rpm/qubes-core-dom0-linux-kernel-install-3.0.15-1.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/xen-4.4.2-7.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg 2001:xen-4.4.2-7.fc20.x86_64: failure: rpm/xen-4.4.2-7.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/xen-hvm-4.4.2gui3.0.0-7.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg 2001:xen-hvm-4.4.2gui3.0.0-7.fc20.x86_64: failure: rpm/xen-hvm-4.4.2gui3.0.0-7.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/xen-hypervisor-4.4.2-7.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg 2001:xen-hypervisor-4.4.2-7.fc20.x86_64: failure: rpm/xen-hypervisor-4.4.2-7.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/xen-libs-4.4.2-7.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg 2001:xen-libs-4.4.2-7.fc20.x86_64: failure: rpm/xen-libs-4.4.2-7.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/xen-licenses-4.4.2-7.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg 2001:xen-licenses-4.4.2-7.fc20.x86_64: failure: rpm/xen-licenses-4.4.2-7.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
http://yum.qubes-os.org/r3.0/current-testing/dom0/fc20/rpm/xen-runtime-4.4.2-7.fc20.x86_64.rpm: [Errno 14] PYCURL ERROR 6 - "Could not resolve host: yum.qubes-os.org"
Trying other mirror.
Could not download/verify pkg 2001:xen-runtime-4.4.2-7.fc20.x86_64: failure: rpm/xen-runtime-4.4.2-7.fc20.x86_64.rpm from qubes-dom0-current-testing: [Errno 256] No more mirrors to try.
+ RETCODE=2
+ '[' '' == 1 ']'
+ '[' 2 -ne 0 ']'
+ exit 2

[marmarek]

This would be much less of an issue if we had newer yum in debian template - then yum --downloadonly could be used which is much more robust than manually constructing packages list and download them using yumdownloader. There is already a code to detect if yum is new enough.
Yum exit code 100 means "updates available", not an error:

       check-update
              Implemented  so  you  could know if your machine had any updates
              that needed to be  applied  without  running  it  interactively.
              Returns exit value of 100 if there are packages available for an
              update. Also returns a list of the packages  to  be  updated  in
              list  format. Returns 0 if no packages are available for update.
              Returns 1 if an error occurred.  Running in  verbose  mode  also
              shows obsoletes.

The problem is that yum is one of that software that uses stdout for errors...
I think the grep -v Obsoleting line could be improved to match actual packages instead of filtering out non-packages lines.

[marmarek]

This would be much less of an issue if we had newer yum in debian template - then yum --downloadonly could be used which is much more robust than manually constructing packages list and download them using yumdownloader. There is already a code to detect if yum is new enough.
Yum exit code 100 means "updates available", not an error:

       check-update
              Implemented  so  you  could know if your machine had any updates
              that needed to be  applied  without  running  it  interactively.
              Returns exit value of 100 if there are packages available for an
              update. Also returns a list of the packages  to  be  updated  in
              list  format. Returns 0 if no packages are available for update.
              Returns 1 if an error occurred.  Running in  verbose  mode  also
              shows obsoletes.

The problem is that yum is one of that software that uses stdout for errors...
I think the grep -v Obsoleting line could be improved to match actual packages instead of filtering out non-packages lines.

[adrelanos]

Then yum is also affected by a similar issue as Debian Template: build script security - deal with 'apt-get update' unreliable exit codes (#1107).

[adrelanos]

Then yum is also affected by a similar issue as Debian Template: build script security - deal with 'apt-get update' unreliable exit codes (#1107).

[marmarek]

Not really, in case of error, it returns 1. You can explicitly
configure repository to be ignored in case of errors, but unless you do,
you'll get return code 1 if yum isn't able to check such repo. Note
that if yum have cached (not expired) data, it will use it instead of
failing. By default cache expire after 6 hours (according to man yum.conf).

This means that qubes-download-dom0-updates.sh should check if exit
code is 1.

Example error message after breaking repo and cleaning cache:

[root@testvm user]# yum clean all
Loaded plugins: langpacks, post-transaction-actions, yum-qubes-hooks
Cleaning repos: fedora qubes-vm-r3.0-current rpmfusion-free
              : rpmfusion-free-updates rpmfusion-nonfree
              : rpmfusion-nonfree-updates tor tor-source updates
Cleaning up everything
[root@testvm user]# yum check-update
Loaded plugins: langpacks, post-transaction-actions, yum-qubes-hooks

 One of the configured repositories failed (Fedora 21 - x86_64),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable fedora

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=fedora.skip_if_unavailable=true

Cannot retrieve metalink for repository: fedora/21/x86_64. Please verify
its path and try again
[root@testvm user]# echo $?
1

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

Not really, in case of error, it returns 1. You can explicitly
configure repository to be ignored in case of errors, but unless you do,
you'll get return code 1 if yum isn't able to check such repo. Note
that if yum have cached (not expired) data, it will use it instead of
failing. By default cache expire after 6 hours (according to man yum.conf).

This means that qubes-download-dom0-updates.sh should check if exit
code is 1.

Example error message after breaking repo and cleaning cache:

[root@testvm user]# yum clean all
Loaded plugins: langpacks, post-transaction-actions, yum-qubes-hooks
Cleaning repos: fedora qubes-vm-r3.0-current rpmfusion-free
              : rpmfusion-free-updates rpmfusion-nonfree
              : rpmfusion-nonfree-updates tor tor-source updates
Cleaning up everything
[root@testvm user]# yum check-update
Loaded plugins: langpacks, post-transaction-actions, yum-qubes-hooks

 One of the configured repositories failed (Fedora 21 - x86_64),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable fedora

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=fedora.skip_if_unavailable=true

Cannot retrieve metalink for repository: fedora/21/x86_64. Please verify
its path and try again
[root@testvm user]# echo $?
1

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

Back to the original issue - it seems that yum prints that error to stdout instead of stderr. But I can't reproduce it on Debian 8 VM - error is properly printed on stderr. Anything special in Whonix Gw that would matter here?

[marmarek]

Back to the original issue - it seems that yum prints that error to stdout instead of stderr. But I can't reproduce it on Debian 8 VM - error is properly printed on stderr. Anything special in Whonix Gw that would matter here?

[adrelanos]

Anything special in Whonix Gw that would matter here?

No. Stderr/stdout just works normal.

[adrelanos]

Anything special in Whonix Gw that would matter here?

No. Stderr/stdout just works normal.

[marmarek]

I wanted to say that Debian have the same yum version as Fedora 21 (3.4.3), but then I've checked yum source package in Fedora - there are 7 patches. One of them is named yum-HEAD.patch and have almost 6MB... Yes, you've guessed correctly.

Can we ignore this problem? Just add error code checking (which actually I've already done, just not pushed yet).

[marmarek]

I wanted to say that Debian have the same yum version as Fedora 21 (3.4.3), but then I've checked yum source package in Fedora - there are 7 patches. One of them is named yum-HEAD.patch and have almost 6MB... Yes, you've guessed correctly.

Can we ignore this problem? Just add error code checking (which actually I've already done, just not pushed yet).

[adrelanos]

Marek Marczykowski-Górecki:

Can we ignore this problem?

Yes. Let's not go in circles. Just wait until a "better" yum version
gets available in Debian.

[adrelanos]

Marek Marczykowski-Górecki:

Can we ignore this problem?

Yes. Let's not go in circles. Just wait until a "better" yum version
gets available in Debian.