Can't add packages to, or update the package list in template VM (Debian-9)

[BobSchnatt]

Qubes OS version:

Qubes release 4.0 (R4.0)

Affected component(s):

debian-9 template VM

---

Steps to reproduce the behavior:

1. Assign the sys-firewall VM to the Networking setting in the debian-9 template VM.
2. Start the debian-9 VM and start the terminal within that.
3. Enter "sudo apt-get update".

Expected behavior:

Since I think the template is currently up to date, I expect something similar to "Nothing to do" or
"Package list up to date".

Actual behavior:

I get this:
Ign:1 http://deb.qubes-os.org/r4.0/vm stretch InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Ign:3 http://security.debian.org stretch/updates InRelease
Err:4 http://deb.qubes-os.org/r4.0/vm stretch Release
Connection failed
Err:5 http://deb.debian.org/debian stretch Release
Connection failed
Err:6 http://security.debian.org stretch/updates Release
Connection failed
Reading package lists... Done

The reason I'm starting here is because I get the same connection error when I try to install a package...

General notes:

I'm mostly a Linux newbie (so I guess I'm insane for starting with Qubes :) ). Any help you give me would be appreciated.

Just a note about what I did get working:
I had to set up the USB qube manually (some error about missing sls.sys-net requirement or something) but I got it working, so I've got Ethernet over USB. I can see USB flash drives and attach them to AppVMs at will with qvm-block (the desktop widget shows them, but doesn't really do the attachment), and I found out how to get audio working. So I've got enough to get started; I just need to be able to install packages and create my real working AppVMs!

Edit: I do have networking going in sys-firewall and debian-9 - I can use Firefox without a problem, and I can ping the Debian repository site successfully in the terminal...

---

Related issues:

[BobSchnatt]

I found a solution (I think). I put "qubes-updates-proxy" in the Services tab of the debian-9 template VM and now I'm able to install packages. I installed evolution, but when I launched it, I see the following in the terminal window (under the Evolution welcome screen):

(evolution:20074): e-data-server-WARNING **: build_categories_filename: Failed to rename '/home/user/.evolution/categories.xml' to '/home/user/.local/share/evolution/categories.xml': No such file or directory

(evolution:20074): dconf-WARNING **: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degraded performance

(evolution-alarm-notify:20090): dconf-WARNING **: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degraded performance

(evolution:20074): e-data-server-WARNING **: build_categories_filename: Failed to rename '/home/user/.evolution/categories.xml' to '/home/user/.local/share/evolution/categories.xml': No such file or directory

I'm dumb, but I'm smart enough to know this doesn't look good. Is this going to be a viable platform for me, or should I just hold out for Qubes 4.1 (or 5.0)?

[BobSchnatt]

I found a solution (I think). I put "qubes-updates-proxy" in the Services tab of the debian-9 template VM and now I'm able to install packages. I installed evolution, but when I launched it, I see the following in the terminal window (under the Evolution welcome screen):

(evolution:20074): e-data-server-WARNING **: build_categories_filename: Failed to rename '/home/user/.evolution/categories.xml' to '/home/user/.local/share/evolution/categories.xml': No such file or directory

(evolution:20074): dconf-WARNING **: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degraded performance

(evolution-alarm-notify:20090): dconf-WARNING **: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degraded performance

(evolution:20074): e-data-server-WARNING **: build_categories_filename: Failed to rename '/home/user/.evolution/categories.xml' to '/home/user/.local/share/evolution/categories.xml': No such file or directory

I'm dumb, but I'm smart enough to know this doesn't look good. Is this going to be a viable platform for me, or should I just hold out for Qubes 4.1 (or 5.0)?

[mirrorway]

1. Assign the sys-firewall VM to the Networking setting in the debian-9 template VM.

The netvm of a template should be None.
Templates get updates by using a net-connected proxy VM (I think this is usually sys-net or sys-whonix, as configured at installation). That proxy VM runs qubes-updates-proxy, not the template.

I do have networking going in sys-firewall and debian-9 - I can use Firefox without a problem,

It is not recommended to run programs in template VMs, and certainly not browsers. Because templates have write access to /, which is inherited to all VMs based on them. So a compromised template, can compromise all VMs based on them.

Depending on how rigorous you are about security, you can recover by either

1. set the template's netvm back to None, disable the qubes-updates-proxy service inside the template, and forget this ever happened

or

2. consider the debian template compromised, delete it using rpm -e, and reinstall it using qubes-dom0-update. all from within dom0. The package is called qubes-template-debian-9.

[mirrorway]

1. Assign the sys-firewall VM to the Networking setting in the debian-9 template VM.

The netvm of a template should be None.
Templates get updates by using a net-connected proxy VM (I think this is usually sys-net or sys-whonix, as configured at installation). That proxy VM runs qubes-updates-proxy, not the template.

I do have networking going in sys-firewall and debian-9 - I can use Firefox without a problem,

It is not recommended to run programs in template VMs, and certainly not browsers. Because templates have write access to /, which is inherited to all VMs based on them. So a compromised template, can compromise all VMs based on them.

Depending on how rigorous you are about security, you can recover by either

1. set the template's netvm back to None, disable the qubes-updates-proxy service inside the template, and forget this ever happened

or

2. consider the debian template compromised, delete it using rpm -e, and reinstall it using qubes-dom0-update. all from within dom0. The package is called qubes-template-debian-9.

[BobSchnatt]

Yeah, I discovered the sys-net / proxy association after I posted this. I moved the qubes-updates-proxy setting to the sys-net VM, but I cannot leave the network setting blank in the debian-9 template VM. I need both of these to update the template VM (but only the network setting to use Firefox) - any reason why? Network access comes to sys-usb via USB Ethernet connection, sys-net connects to sys-usb, and sys-firewall connects to sys-net. If I leave the network setting blank in the Fedora-26 template, I get "Error: failed to synchronize cache for 'repo'". Something similar happens in the debian-9 template (but I can't remember the error).

I do realize I'm not supposed to let the template connect to the network, but at the time it was the only way to get network access to it. By the way, I tried reinstalling the debian-9 template at some point in the past 2 days but got a connection failure error - maybe this time it will go better.

Question: can I reinstall the Fedora template without screwing up Qubes? I know that Qubes partly runs on Fedora.

And finally, I purged Evolution (I decided to omit the email client for the time being), but I successfully installed Signal, so it's not all bad :) Any clue about those Evolution install errors?

Thanks for the response...

[BobSchnatt]

Yeah, I discovered the sys-net / proxy association after I posted this. I moved the qubes-updates-proxy setting to the sys-net VM, but I cannot leave the network setting blank in the debian-9 template VM. I need both of these to update the template VM (but only the network setting to use Firefox) - any reason why? Network access comes to sys-usb via USB Ethernet connection, sys-net connects to sys-usb, and sys-firewall connects to sys-net. If I leave the network setting blank in the Fedora-26 template, I get "Error: failed to synchronize cache for 'repo'". Something similar happens in the debian-9 template (but I can't remember the error).

I do realize I'm not supposed to let the template connect to the network, but at the time it was the only way to get network access to it. By the way, I tried reinstalling the debian-9 template at some point in the past 2 days but got a connection failure error - maybe this time it will go better.

Question: can I reinstall the Fedora template without screwing up Qubes? I know that Qubes partly runs on Fedora.

And finally, I purged Evolution (I decided to omit the email client for the time being), but I successfully installed Signal, so it's not all bad :) Any clue about those Evolution install errors?

Thanks for the response...

[BobSchnatt]

Never mind about needing both the network and proxy settings. I rebooted the system and immediately ran the update against the Debian template (with only the proxy setting in sys-net). Worked like a charm :) So that only leaves the Evolution missing folder problem. Like I said, I'm not going to install it now, but I wish I knew why it failed like that. I ran "sudo apt-get install evolution" - maybe that was the wrong package name? I'm probably not going to recreate those templates, unless you think I had a good chance of being hacked in the last two days. (I'd rather not muck things up now that it's working!) I was taking them up and down all day, and I have a firewall in my FiOS router (not to mention what might be in sys-firewall).

[BobSchnatt]

Never mind about needing both the network and proxy settings. I rebooted the system and immediately ran the update against the Debian template (with only the proxy setting in sys-net). Worked like a charm :) So that only leaves the Evolution missing folder problem. Like I said, I'm not going to install it now, but I wish I knew why it failed like that. I ran "sudo apt-get install evolution" - maybe that was the wrong package name? I'm probably not going to recreate those templates, unless you think I had a good chance of being hacked in the last two days. (I'd rather not muck things up now that it's working!) I was taking them up and down all day, and I have a firewall in my FiOS router (not to mention what might be in sys-firewall).

[andrewdavidwong]

Since the main problem that this issue is about has been resolved, I'm closing this as "resolved." If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this.

As for the other questions, we ask that you please send them to the qubes-users mailing list. For the sake of organization, we prefer to keep each issue about a single topic and not use it as a place for discussion about different topics. Thank you for your understanding.

[andrewdavidwong]

Since the main problem that this issue is about has been resolved, I'm closing this as "resolved." If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this.

As for the other questions, we ask that you please send them to the qubes-users mailing list. For the sake of organization, we prefer to keep each issue about a single topic and not use it as a place for discussion about different topics. Thank you for your understanding.