Converts fedora-31 VMs to fedora-32 throughout

[conorsch]

Status

Ready for review

Description of Changes

Fixes #627

Changes proposed in this pull request:

• Sets all sys-* VMs to be based on fedora-32

Previously included but reverted, then dropped before merge:

• Patches the fedora-32 template to use salt packages from the upstream "testing" repos, pending final resolution (i.e. packages landing in prod) of Qubes updater failure when default-mgmt-dvm set to fedora-31 or fedora-32 QubesOS/qubes-issues#6188

Testing

Prerequisites

In order to test in a manner that ensures upgrades work, you'll make to make sure your workstation is in a predictable state:

1. Ensure that the qubes-template-fedora-32 package NOT installed: qvm-ls | grep fedora-32 should show no hits
2. If required, run sudo dnf remove qubes-template-fedora-32 to uninstall
3. Check out "main" branch of this repository, and run make clean && make dev. This will ensure all VMs are configured with fedora-31 [sic].

Testing the transition

1. make clone && make dev && make test
2. Ensure all tests are passing
3. qvm-ls | grep fedora should show that sys-net, sys-usb, and sys-firewall are all based on fedora-32.

Test the upgrade scenario

1. make clone && make prep-dev, then run the graphical updater
2. Ensure all tests are passing
3. qvm-ls | grep fedora should show that sys-net, sys-usb, and sys-firewall are all based on fedora-32.

Checklist

If you have made code changes

• Linter (make flake8) passes in the development environment (this box may
  be left unchecked, as flake8 also runs in CI)

If you have made changes to the provisioning logic

• All tests (make test) pass in dom0 of a Qubes install

• This PR adds/removes files, and includes required updates to the packaging
  logic in MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec

[conorsch]

The use of wait here means that the hotfix task will only run if the fedora-32 template has just been installed. For workstations that already have the fedora-32 template present, because someone installed it manually, outside the scope of Workstation provisioning logic.

That's likely acceptable for our pilot participants, but in the future, for a larger install base, we'll likely want to script a solution:

1. Check for tag "sd-workstation-salt-fix-2020-11" on fedora-32 template
2. If not present, run the hotfix task
3. Add tag if it was missing

I don't advocate for the script-based solution in this PR, @zenmonkeykstop, but mentioning it in case you think it's worthwhile based on pilot comms.

[conorsch]

During sprint planning today, we decided to downgrade this PR to draft. Ideally we'll have the salt fix merged upstream into prod by the Qubes folks by next week, at which point we can drop the hotfix logic here prior to merging.

Still good for early review, though.

[eloquence]

@marmarek @andrewdavidwong Are there any plans to automate these end-of-life template updates, e.g. using Qubes' built-in graphical updater?

[marmarek]

We have a GUI tool that allows switching all the VMs at once: https://www.qubes-os.org/doc/templates/#switching

[eloquence]

Thanks @marmarek, I've used that process and it is indeed relatively straightforward. It does seem like the next level of UX improvement would potentially be for the system to detect end-of-life templates for system VMs, and recommend/apply updates -- perhaps we can chat more about this in the context of updater improvements/consolidation next year. :)

[zenmonkeykstop]

Ran through test plan, transition to fedora-32 was successful, all tests passing!

Will take another spin through once the salt connector package makes it to prod, with the qvm-run workaround removed, and merge at that point.

[conorsch]

Reverted the hotfix commit. Once the fixes land in upstream prod repos, we'll be able to test the upgrade path without the hotfix active. We can then confirm working and drop the hotfix & its reversion prior to merge and release (#643).

[emkll]

Now that upstream changes are merged to the Fedora-32 channel, and the workaround has been removed here, this PR is now ready for review. I've documented a test plan and tested the upgrade scenario as follows:

• `make clone && make prep-dev on this branch, graphical updater completes successfully
• All tests are passing
• sys-net, sys-usb, and sys-firewall are all based on fedora-32
• usb autoattach/export logic is working as expected

Should be good to approve/merge after squashing the commits in this branch.

[conorsch]

Ready for final review. I dropped the hotfix commits, and appended a 0.5.1-rc1 version bump & corresponding tag. @zenmonkeykstop please verify the rc info looks good, then after merge I'll get a package up.

[zenmonkeykstop]

RC commit changes look good, based on those and previous reviews this is OK to go for rc1 build