Debian based UpdateVM does not support --action=list or reinstall #3553

awokd · Feb 8, 2018

Qubes OS version:

Affected TemplateVMs:

debian-9, whonix-gw

Steps to reproduce the behavior:

Set UpdateVM to a debian-9 based sys-firewall or standard sys-whonix
sudo qubes-dom0-update --action=list kernel-qubes-vm (or --action=reinstall, etc.)

Expected behavior:

packages will be listed or reinstalled

Actual behavior:

ERROR: yum version installed in VM host does not suppport --downloadonly option
ERROR: only 'install' and 'upgrade' actions supported (list not)

General notes:

Ideally these additional --action commands would work with a Debian based UpdateVM, but if it's a WONTFIX there should be a documented work-around available. --action=reinstall is easy enough to document (dnf remove, then install the package) but how does one --action=list available packages in the qubes-dom0-unstable repository for example?

Related issues:

#1029
#3495

You left the "Qubes OS version" field empty, but I'm guessing you meant 4.0.

andrewdavidwong · Feb 9, 2018

You left the "Qubes OS version" field empty, but I'm guessing you meant 4.0.

@andrewdavidwong No, it applies to both 3.2 & 4.0 using a Debian based UpdateVM.

awokd · Feb 9, 2018

@andrewdavidwong No, it applies to both 3.2 & 4.0 using a Debian based UpdateVM.

Probably older versions too, since #1029 was released. Should I have written "all"?

awokd · Feb 9, 2018

Probably older versions too, since #1029 was released. Should I have written "all"?

Probably older versions too, since #1029 was released. Should I have written "all"?

Yeah, or "3.2 and 4.0," or "3.2 and 4.0 confirmed, but probably all," depending on your temperament with respect to verbosity and speculation. 🙂

(However, since versions prior to 3.2 are no longer supported, it doesn't matter whether they're affected for the purposes of this issue tracker.)

Since an issue can have only one milestone, I'll change this one to 3.2

andrewdavidwong · Feb 10, 2018

Probably older versions too, since #1029 was released. Should I have written "all"?

Yeah, or "3.2 and 4.0," or "3.2 and 4.0 confirmed, but probably all," depending on your temperament with respect to verbosity and speculation. 🙂

(However, since versions prior to 3.2 are no longer supported, it doesn't matter whether they're affected for the purposes of this issue tracker.)

Since an issue can have only one milestone, I'll change this one to 3.2

ERROR: yum version installed in VM host does not suppport --downloadonly option
ERROR: only 'install' and 'upgrade' actions supported (list not)

If I copy in qubes-dom0.repo to my debian-9 template (and disable all repos in there and replace r$releasever with r3.2), yum lets me list available packages. Like the error message says though, --downloadonly is not supported. sys-whonix can't resolve yum.qubes-os.org probably for security reasons, but there must be a way to accomplish the same thing in there because it can download updates for dom0.

user@debian-9:~$ yum --enablerepo=qubes-dom0-current list kernel-qubes-vm
qubes-dom0-current                                                                     | 3.6 kB  00:00:00
qubes-dom0-current/primary_db                                                          | 890 kB  00:00:01
Available Packages
kernel-qubes-vm.x86_64                      1000:4.9.56-21.pvops.qubes                      qubes-dom0-current
user@debian-9:~$ yum --enablerepo=qubes-dom0-current-testing list kernel-qubes-vm
qubes-dom0-current-testing                                                             | 3.6 kB  00:00:00
qubes-dom0-current-testing/primary_db                                                  | 1.6 MB  00:00:02   
Available Packages
kernel-qubes-vm.x86_64                  1000:4.14.18-1.pvops.qubes                  qubes-dom0-current-testing
user@debian-9:~$

awokd · Feb 11, 2018

ERROR: yum version installed in VM host does not suppport --downloadonly option
ERROR: only 'install' and 'upgrade' actions supported (list not)

If I copy in qubes-dom0.repo to my debian-9 template (and disable all repos in there and replace r$releasever with r3.2), yum lets me list available packages. Like the error message says though, --downloadonly is not supported. sys-whonix can't resolve yum.qubes-os.org probably for security reasons, but there must be a way to accomplish the same thing in there because it can download updates for dom0.

user@debian-9:~$ yum --enablerepo=qubes-dom0-current list kernel-qubes-vm
qubes-dom0-current                                                                     | 3.6 kB  00:00:00
qubes-dom0-current/primary_db                                                          | 890 kB  00:00:01
Available Packages
kernel-qubes-vm.x86_64                      1000:4.9.56-21.pvops.qubes                      qubes-dom0-current
user@debian-9:~$ yum --enablerepo=qubes-dom0-current-testing list kernel-qubes-vm
qubes-dom0-current-testing                                                             | 3.6 kB  00:00:00
qubes-dom0-current-testing/primary_db                                                  | 1.6 MB  00:00:02   
Available Packages
kernel-qubes-vm.x86_64                  1000:4.14.18-1.pvops.qubes                  qubes-dom0-current-testing
user@debian-9:~$

Looks like the error is coming from qubes-download-dom0-updates.sh. Need to try modifying it to permit --action=list on a debian-9 template. sys-whonix needs a UWT wrapper defined, if I'm reading the error right.

awokd · Feb 11, 2018

Looks like the error is coming from qubes-download-dom0-updates.sh. Need to try modifying it to permit --action=list on a debian-9 template. sys-whonix needs a UWT wrapper defined, if I'm reading the error right.

See /usr/lib/qubes/qubes-download-dom0-updates.sh
For list, you don't really need --downloadonly, because you don't download any package. Try something like this: marmarek/qubes-core-agent-linux@e60194b

marmarek · Feb 11, 2018

See /usr/lib/qubes/qubes-download-dom0-updates.sh
For list, you don't really need --downloadonly, because you don't download any package. Try something like this: marmarek/qubes-core-agent-linux@e60194b

That's the file I was looking at too. Wasn't seeing anything that would prevent a list! Thanks, will try it out and see if I can figure out how to make sys-whonix work with it too. Think it needs a wrapper defined for yum.

awokd · Feb 11, 2018

That's the file I was looking at too. Wasn't seeing anything that would prevent a list! Thanks, will try it out and see if I can figure out how to make sys-whonix work with it too. Think it needs a wrapper defined for yum.

awokd:

sys-whonix needs a UWT wrapper defined, if I'm reading the error right.

Sure? There is a uwt wrapper for yum and yumdownloader. https://github.com/Whonix/uwt/blob/master/usr/bin/yum.anondist https://github.com/Whonix/uwt/blob/master/usr/bin/yumdownloader.anondist These are the programs run by qubes-download-dom0-updates.sh. It makes more sense to uwt wrap (since there are no socks settings available which would be better) the actual network using programs by the qubes-download-dom0-updates.sh scripts than the qubes-download-dom0-updates.sh script itself. There is no 'dnf' in Debian. Let me know ASP please if something is missing in Whonix so it can make its way into Whonix 14 in time.

adrelanos · Feb 11, 2018

awokd:

sys-whonix needs a UWT wrapper defined, if I'm reading the error right.

Sure? There is a uwt wrapper for yum and yumdownloader. https://github.com/Whonix/uwt/blob/master/usr/bin/yum.anondist https://github.com/Whonix/uwt/blob/master/usr/bin/yumdownloader.anondist These are the programs run by qubes-download-dom0-updates.sh. It makes more sense to uwt wrap (since there are no socks settings available which would be better) the actual network using programs by the qubes-download-dom0-updates.sh scripts than the qubes-download-dom0-updates.sh script itself. There is no 'dnf' in Debian. Let me know ASP please if something is missing in Whonix so it can make its way into Whonix 14 in time.

Thanks, @adrelanos . Found those wrappers where you said they'd be.
I got @marmarek 's script running on a standard debian-9 template and it works there. It's not super clean output (like it always lists my currently installed packages) but it does also list packages available in the repo specified. Copied it over to sys-whonix, but when I tried the same '--action=list' there with sys-whonix as my updatevm, I got:

mktemp: failed to create file via template '/tmp/uwt_root/tmp.XXXXXXXXXX': Permission denied
chmod: cannot access '': No such file or directory
/usr/bin/uwt: line 259: : No such file or directory
uwt: Missing torsocks configuration file "\.

But I think I may have figured out a work-around at least, I removed fakeroot from this section of Marmarek's code:

+    elif [ "$YUM_ACTION" == "list" ] || [ "$YUM_ACTION" == "search" ]; then
+        # those actions do not download any package, so lack of --downloadonly is irrelevant
+        YUM_COMMAND="fakeroot $YUM $YUM_ACTION -y"

and now it lists packages for the specified repo!
Maybe fakeroot throws off the UWT wrapper?

awokd · Feb 11, 2018

Thanks, @adrelanos . Found those wrappers where you said they'd be.
I got @marmarek 's script running on a standard debian-9 template and it works there. It's not super clean output (like it always lists my currently installed packages) but it does also list packages available in the repo specified. Copied it over to sys-whonix, but when I tried the same '--action=list' there with sys-whonix as my updatevm, I got:

mktemp: failed to create file via template '/tmp/uwt_root/tmp.XXXXXXXXXX': Permission denied
chmod: cannot access '': No such file or directory
/usr/bin/uwt: line 259: : No such file or directory
uwt: Missing torsocks configuration file "\.

But I think I may have figured out a work-around at least, I removed fakeroot from this section of Marmarek's code:

+    elif [ "$YUM_ACTION" == "list" ] || [ "$YUM_ACTION" == "search" ]; then
+        # those actions do not download any package, so lack of --downloadonly is irrelevant
+        YUM_COMMAND="fakeroot $YUM $YUM_ACTION -y"

and now it lists packages for the specified repo!
Maybe fakeroot throws off the UWT wrapper?

And this is just something where it would be nice to have feature parity with the Fedora template. If it doesn't make the cut for Whonix 14 it's not a big deal for me at least. Can patch it in later!

awokd · Feb 11, 2018

And this is just something where it would be nice to have feature parity with the Fedora template. If it doesn't make the cut for Whonix 14 it's not a big deal for me at least. Can patch it in later!

In the (Debian) portion of the qubes-download-dom0-updates.sh script, list/search are the only options that use yum instead of yumdownloader. Maybe removing fakeroot there is all that needs to be done since yum can apparently list and search without being sudo.

awokd · Feb 11, 2018

In the (Debian) portion of the qubes-download-dom0-updates.sh script, list/search are the only options that use yum instead of yumdownloader. Maybe removing fakeroot there is all that needs to be done since yum can apparently list and search without being sudo.

Whonix 14 doesn't use /usr/bin/uwt anymore since it is no longer required. The mktemp workaround is no longer required. (This is because torsocks was improved.)

We are using /etc/tor/torsocks.conf.

# Set Torsocks to use an automatically generated SOCKS5 username/password based
# on the process ID and current time, that makes the connections to Tor use a
# different circuit from other existing streams in Tor on a per-process basis.
# If set, the SOCKS5Username and SOCKS5Password options must not be set.
# (Default: 0)
IsolatePID 1

Since it doesn't use mktemp anymore, you won't have the issue described in #3553 (comment).

I've removed fakeroot from /usr/lib/qubes/qubes-download-dom0-updates.sh as per your instructions and commented out the exit 1 of the does not suppport --downloadonly check.

It's downloading. Dunno yet if it will actually reinstall the template but at least for sure we don't have any uwt / connectivity issues.

adrelanos · Feb 11, 2018

Whonix 14 doesn't use /usr/bin/uwt anymore since it is no longer required. The mktemp workaround is no longer required. (This is because torsocks was improved.)

We are using /etc/tor/torsocks.conf.

# Set Torsocks to use an automatically generated SOCKS5 username/password based
# on the process ID and current time, that makes the connections to Tor use a
# different circuit from other existing streams in Tor on a per-process basis.
# If set, the SOCKS5Username and SOCKS5Password options must not be set.
# (Default: 0)
IsolatePID 1

Since it doesn't use mktemp anymore, you won't have the issue described in #3553 (comment).

I've removed fakeroot from /usr/lib/qubes/qubes-download-dom0-updates.sh as per your instructions and commented out the exit 1 of the does not suppport --downloadonly check.

It's downloading. Dunno yet if it will actually reinstall the template but at least for sure we don't have any uwt / connectivity issues.

Doc link for tracking: QubesOS/qubes-doc#584

awokd · Feb 12, 2018

Doc link for tracking: QubesOS/qubes-doc#584

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

QubesOS/qubes-issues

Join GitHub today

Debian based UpdateVM does not support --action=list or reinstall #3553

Comments

awokd commented Feb 8, 2018

Qubes OS version:

Affected TemplateVMs:

Steps to reproduce the behavior:

Expected behavior:

Actual behavior:

General notes:

Related issues:

awokd referenced this issue in QubesOS/qubes-doc Feb 8, 2018

andrewdavidwong added bug C: Whonix C: Debian labels Feb 9, 2018

andrewdavidwong added this to the Release 4.0 milestone Feb 9, 2018

This comment has been minimized.

andrewdavidwong commented Feb 9, 2018

This comment has been minimized.

awokd commented Feb 9, 2018

This comment has been minimized.

awokd commented Feb 9, 2018

This comment has been minimized.

andrewdavidwong commented Feb 10, 2018 • edited Edited 1 time andrewdavidwong edited Feb 10, 2018 (most recent)

andrewdavidwong modified the milestones: Release 4.0, Release 3.2 updates Feb 10, 2018

This comment has been minimized.

awokd commented Feb 11, 2018

This comment has been minimized.

awokd commented Feb 11, 2018

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Feb 11, 2018

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Feb 11, 2018

This comment has been minimized.

marmarek commented Feb 11, 2018

This comment has been minimized.

awokd commented Feb 11, 2018

This comment has been minimized.

adrelanos commented Feb 11, 2018

This comment has been minimized.

awokd commented Feb 11, 2018

This comment has been minimized.

awokd commented Feb 11, 2018

This comment has been minimized.

awokd commented Feb 11, 2018

This comment has been minimized.

adrelanos commented Feb 11, 2018

This comment has been minimized.

awokd commented Feb 12, 2018

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Feb 13, 2018

marmarek referenced this issue in QubesOS/qubes-core-agent-linux Feb 13, 2018

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Feb 14, 2018

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Feb 14, 2018

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Feb 14, 2018

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Feb 14, 2018

marmarek closed this in QubesOS/qubes-core-agent-linux#94 Feb 22, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added the r4.0-centos7-cur-test label Feb 27, 2018

qubesos-bot referenced this issue in QubesOS/updates-status Feb 27, 2018

qubesos-bot added r4.0-fc24-cur-test r4.0-fc25-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r4.0-buster-cur-test r4.0-jessie-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added the r4.0-stretch-cur-test label Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added the r4.0-fc26-cur-test label Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Mar 12, 2018

qubesos-bot added r4.0-centos7-stable and removed r4.0-centos7-cur-test labels Mar 12, 2018

This comment has been minimized.

qubesos-bot commented Mar 12, 2018

qubesos-bot added r4.0-fc26-stable and removed r4.0-fc26-cur-test labels Mar 12, 2018

This comment has been minimized.

qubesos-bot commented Mar 12, 2018

qubesos-bot added r4.0-buster-stable r4.0-jessie-stable and removed r4.0-buster-cur-test r4.0-jessie-cur-test labels Mar 12, 2018

This comment has been minimized.

qubesos-bot commented Mar 12, 2018

qubesos-bot added r4.0-stretch-stable and removed r4.0-stretch-cur-test labels Mar 12, 2018

andrewdavidwong commented Feb 10, 2018 •

edited

Edited 1 time

andrewdavidwong edited Feb 10, 2018 (most recent)