File downloads performed by Salt in a TemplateVM fail

[DemiMarie]

Qubes OS version:

R4.0

Affected component(s):

qubes-core-admin, though this mostly causes problems when using Salt.

---

Steps to reproduce the behavior:

Run gpg --recv-keys with any keyserver in a TemplateVM.

Expected behavior:

The updates proxy should allow traffic to the keyserver

Actual behavior:

Access to the keyserver is denied.

General notes:

This was originally discovered when using SaltStack to add apt repositories to a template. Using a keyserver and key ID (the most secure way of adding the key, without requiring the key to be copied into dom0) does not work. Copying the key into dom0 might work (and, since the key would never be parsed by anything whatsoever in dom0, only passed as a stream of bytes, might even be safe), but I did not try.

---

Related issues:

Possibly #1955?

[unman]

There's nothing special about this - it's a standard problem, and since there's a proxy available, there's a simple solution

[marmarek]

In fact I think this is more generic problem - any file downloads done by salt in the template will fail this way. Maybe the whole salt running in a template should get http_proxy variable set? I'm not yet sure how to do that technically, but probably there is some way...
Also note it shouldn't be "always set http_proxy variable", but only in templates - or more specifically - when /var/run/qubes-service/updates-proxy-setup exists. Otherwise it will break the same way in non-template vms.

[DemiMarie]

Is this a duplicate of #4291?

[andrewdavidwong]

Is this a duplicate of #4291?

I don't know.

But, if anything, #4291 would be a duplicate of this, since this was filed first.

[unman]

On Tue, Jun 22, 2021 at 07:28:46PM -0700, Andrew David Wong wrote: > Is this a duplicate of #4291? I don't know. But, if anything, #4291 would be a duplicate of this, since this was filed first.

I didn't know this was still open. There is nothing salt related here. File downloads triggered from *any* source in a TemplateVM will fail unless you use the proxy. We don't have an issue for that: it's not a bug, it's a feature. #4291 is a duplicate of this. It has a proposed solution, but a solution to this would also solve that. (I use the proxy for gpg key access where necessary, as explained in my link.) Personally, I wouldn't want to see the http_proxy variable set globally.

[andrewdavidwong]

I didn't know this was still open. There is nothing salt related here. File downloads triggered from any source in a TemplateVM will fail unless you use the proxy. We don't have an issue for that: it's not a bug, it's a feature.

Closing as "not an issue." If you believe this is a mistake, please leave a comment, and we'll be happy to take another look. Thank you.