Implement own non-interactive template update tool

[marmarek]

Implement our own non-interactive update mechanism (not requiring DispVM in the middle) - including a method to plug security fixes for VM's own update mechanism, like we did via Salt in the past (it happened already for both Fedora and Debian)

The interface should provide basic feedback on a) progress, b) what updates were installed (output from package manager is probably enough). And a reliable information if the update process succeeded. In subsequent version we may want more structured progress reporting (to show a progress bar somewhere, instead of a terminal output).

This is to replace updates via salt in majority of cases. Not requiring DispVM and more targeted support for specific package managers should make updates much quicker and less resource intensive.

For initial version it needs to support package managers as in https://github.com/QubesOS/qubes-core-agent-linux/blob/master/package-managers/upgrades-installed-check

Originally posted by @marmarek in #6624 (comment)

[DemiMarie]

I would also like it to support dnf --best --refresh --enablerepo=updates-testing --security -- upgrade && dnf --best -- upgrade in Fedora. That command is what one uses to install security updates (but not non-security updates) from the updates-testing repo.

[marmarek]

I would also like it to support dnf --best --refresh --enablerepo=updates-testing --security -- upgrade && dnf --best -- upgrade in Fedora. That command is what one uses to install security updates (but not non-security updates) from the updates-testing repo.

That feature can be added at some point, but lets not broaden the scope until we have some basic version working.