Test install process, workstation functionality against Qubes 4.0.4

[zenmonkeykstop]

The Qubes 4.0.4 RC1 iso is now available: https://www.qubes-os.org/news/2020/11/05/qubes-4-0-4-rc1/

Probably the most relevant change is the update to Fedora version from 30 (in 4.0.3) to 32. The workstation installation currently involves installing F31 after the Qubes install, so this would simplify the process.

Testing should involve:

• verifying that the SDW docs correctly describe the Qubes installer process
• verifying that an installation can be completed successfully without installing F31 and with F32 used for sys- VMs
• verifying client functionality after install.

[zenmonkeykstop]

Tried naively installing on 4.0.4-rc1, ignoring the fedora31 setup step (because fedora32, right?)

Installation proceeds happily including installation of fedora31 template until first attempt to update a fedora31-based VM (sys-firewall), which fails due to the upstream issue QubesOS/qubes-issues#6188 . Applying the fix described there (using Qubestesting repo) resolves, and installation completes without error on a second run of sdw-admin --apply.

[eloquence]

Thanks for the report @zenmonkeykstop, that's great news. I've pulled this into the current sprint for visibility, but if the release stars align, we can do the final testing as part of QA for 0.5.1 (#643).

[eloquence]

Qubes 4.0.4 is still not out yet; we'll want to re-test a fresh install once it it is but moving to near-term backlog for now.

[eloquence]

4.0.4~RC2 is out; plan of record is to re-test once the final 4.0.4 is out.

[eloquence]

Just noting that 4.0.4. was in fact released yesterday. According to the release announcement, any updated Qubes 4 system is functionally identical to a 4.0.4 install.

I re-ran sdw-admin --apply on my updates Qubes machine without issues; SecureDrop Client also seems happy. In make test in dom0 I am noticing Whonix policy lines that cause test failures on my machine. I'm not sure when exactly those were added, may have been well before 4.0.4 but I do believe it must have been through some update:

Policy for qubes.VMRootShell is:
disp-mgmt-whonix-gw-15 whonix-gw-15 allow,user=root
### BEGIN securedrop-workstation ###

Policy for qubes.Filecopy is:
disp-mgmt-whonix-gw-15 whonix-gw-15 allow,user=root
### BEGIN securedrop-workstation ###

[conorsch]

Those RPC policies changes appear incidental, they are automatically created by dom0 during updates to a given VM. So, while updating whonix-gw-15 via Salt, dom0 will add a grant for disp-mgmt-whonix-gw-15 to talk to it. Those should be cleaned up automatically after a successful run, but if the updates failed, they'll hang around again. See #351 (comment) for reference.

In other words, those changes do not appear to be related to 4.0.4. Thanks for the install report, great to hear it's working well! We'll need to update the docs to match.

[eloquence]

We've been using Qubes 4.0.4 without issue for a while, so closing.