Tool for performing multiple updates #2718
Comments
|
Can be handled by salt: Then add to And launch: Maybe we should ship such configuration by default? |
|
Does this handle only templates? And does it leave them running? |
In this case - yes, because I've specified it that way (
It will leave them in the same state - if template was running, it will be left as such, otherwise it will be stopped after applying state. BTW, if you want to apply just this one action, you can do that in one line, without any additional file: More info: https://www.qubes-os.org/doc/salt/ |
|
Since this appears to be pulling from Qubes API, it seems like ( qubes:type:updateable ) should be possible? I'm reading the salt docs now. |
|
It should be easy to add such option (in practice: |
andrewdavidwong
added
C: mgmt
C: templates
T: enhancement
|
@marmarek This saltstack method tries to launch a VM for each template all at the same time. The result was spurious insufficient memory errors. I also get this prompt for each template:
This is from update command not running as root with the vm-sudo config. |
|
On Sat, Apr 08, 2017 at 08:12:35AM -0700, tasket wrote:
@marmarek This saltstack method tries to launch a VM for each template all at the same time. The result was spurious insufficient memory errors.
It execute 4 of them simultaneously. Currently the value is hardcoded
here:
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubessalt/__init__.py#L191
But it shouldn't be hard to add an option.
I also get this prompt for each template:
* Do you allow domain "disp-mgmt-fedora-24-minimal" to execute qubes.VMAuth operation on the domain "dom0"?
This is from update command not running as root with the vm-sudo config.
Yes, salt and related scripts do use sudo. If you don't want those
prompts, probably the easiest way is to add "allow" rules (before
default ask) for those domains to /etc/qubes-rpc/policy/qubes.VMAuth.
This applies to disp-mgmt-* VMs and templates itself. VM names
disp-mgmt-* are not used anywhere else, so this shouldn't have side
effects.
…--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
|
|
Currently having doubts about using a config management engine (salt) for routine maintenance tasks. The more I learn, the more it seems like a poor fit. Adding some nice-to-have features to qubes-multi-update, but will definitely use saltstack for VPN setup, vm-sudo setup and more... |
Absolutely! It's a pain to upgrade all VMs one by one, a upgrade all VM button would be much, much appriciated. |
|
Feature request: The ability to manually select some VMs for exclusion from bulk updates. I have a couple VMs running intentionally outdated versions of stuff which is required to get some proprietary stuff running properly. Sure, I could probably just pin the specific packages necessary in my package manager, but this is not a workable solution for people who are not familiar with package managers and just want to say "I know this is vulnerable and terrible, but please don't touch it. It's not networked and I keep my data away from it, it's okay. I just need it to work." |
|
@jpouellet Done :) |
|
I had in mind more of some persistent config on a VM which says to exclude it (like existing options for "include in backups by default", "automatically start on boot", etc.), which you could set and forget, rather than some cmd line option which you need to remember to pass each time. Looking forward, this seems to be exactly the kind of thing core3's "features" (essentially a dict of auxiliary metadata on each VM) enables cleanly. |
|
No doubt, that would make it easy. But while we're running 3.x its good to have something that works. And although there is no current way to tag or assign other metadata to VMs, keeping a separate list just for the purpose could also enable the 'set and forget' use case. |
|
Indeed. Thanks for working on this :) |
|
@marmarek Gives a bunch of "SKIP (nothing to do)" while most of the templates require updates. |
|
It's #2451 - there is optimization to not start VMs not mentioned in top file. Until linked issue is resolved, you can use placeholder state, for example: base:
qubes:type:template:
- match: pillar
- topdPut the above in |
|
Confirming @tlaurion's "SKIP" results, even after implementing @marmarek's suggested workaround: To confirm it's not that there's really nothing to do, I manually started |
|
Oh, it should be |
|
@marmarek Still "SKIP (nothing to do)" warnings with qubes:type:template in /srv/salt/placeholder.top When will a solution to upgrade all templates from GUI happens? |
|
@marmarek |
|
Yes, with @marmarek 's tweak to the template I posted above, this is now a reliable method to "update all VMs." Still hoping to make this automatic, presumably via cron. |
|
There's a pull request for a gui tool for that - QubesOS/qubes-desktop-linux-manager#34 . Does this mean this issue is solved, @marmarek ? We have a CLI way to update VMs (which can be added to cron) and a gui tool for users to click through updates when they become available. |
Oops, missed this part:
Looks like it's considered done. |
andrewdavidwong
added
R: declined
QubesOS#2718 was fixed a while ago.
Qubes needs a way to handle multiple OS updates automatically since managing these processes individually is disruptive to the user.
So far I have a python script
qubes-multi-updatethat can handle Linux-based VMs which includes PVM templates, standalones and dom0:https://github.com/tasket/Qubes-scripts/blob/master/qubes-multi-update
It is meant to be an improvement on various other update scripts seen online; it tries to intelligently handle VM states and status (such as 'updates available') and can optionally TRIM templates and standalones.
Related issues:
https://gist.github.com/andrewdavidwong/d0b109186de65835255d467ae103c289
https://gist.github.com/JimmyAx/818bcf11a14e85531516ef999c8c5765
#1378
#1760
#2150
The text was updated successfully, but these errors were encountered: