Updates docs and config for Qubes 4.0.1 #248
Conversation
The Debian Stretch VM never should have included the jessie-backports
target, and its inclusion causes apt updates to fail, blocking
installation of any and all packages. Let's snip it out.
Tried a few paths toward implementation, and it was a rocky road.
The "quiet: true" declaration is included for compatibility with the
Whonix templates, which are also based on Debian, but don't use
/etc/apt/sources.list. See the salt docs [0] for reference:
quiet -- Do not raise any exceptions. E.g. ignore the fact that the
file that is tried to be edited does not exist and nothing really
happened.
However, that parameter doesn't seem to be honored when used in the SLS
files called in dom0. Another option was to wrap the jessie deletion task
in a Jinja conditional, e.g.:
{% if 0 == salt['cmd.retcode']('test -f /etc/apt/sources.list') %}
but then the corresponding `require` for that task must *also* be
wrapped in the same conditional, otherwise Salt gets confused. That
would be a bear to maintain. Finally settled on "only if" which will
cause the task to be skipped (meaning the task passes even on Whonix)
and still available for use as a requirement.
[0] https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.line
Removes README ad-hoc steps for fedora-29 As of Qubes 4.0.1, fedora-29 is automatically installed, so no manual steps are required to configure the common `sys-*` VMs with fedora-29 as base. Removes ad-hoc commands for whonix-14 templates As of Qubes 4.0.1, the default base templates for the Whonix VMs are the 14 series, so the out of the box config is what we want, allowing us to drop the custom commands. Furthermore, the old templates are not installed on 4.0.1, so we don't need to remove those, either.
The current version of Fedora is 29, so let's ensure that's the version we have set in config and corresponding tests. We'll shortly need to bump to fedora-30, as well.
Since we're running the per-VM checks in a loop (rather than using pytest.mark.parametrize, which would require additional dependencies in dom0), any failing check will break out of the loop. Let's state explicitly which VM failed the check, to aid in debugging the config logic.
We don't need to update the `qubes-kernel-vm-support` package in the debian-9 template any longer, as the version shipped with 4.0.1 out of the box is sufficient for compatibility with our custom kernels. It's still a good idea to make sure all VMs are fully updated, however, particularly because the Salt logic currently *copies* existing VMs, meaning that any missing updates will increase the delay on provisioning, both initially and over time, since each copy of the TemplateVM will need updates applied to it individually.
|
|
||
| Before trying to use this project, install [Qubes 4.0](https://www.qubes-os.org/downloads/) on your development machine. Accept the default VM configuration during the install process. | ||
| Before trying to use this project, install [Qubes 4.0.1](https://www.qubes-os.org/downloads/) on your development machine. Accept the default VM configuration during the install process. |
There was a problem hiding this comment.
In order to mitigate against CVE-2019-3462, Qubes recommends installing all debian-based templates from scratch. Shipping our own Debian-based template should help/mitigate for all non-whonix based templates, but we may need to have some logic in place to detect if there are any RPM changes and destroy /rebuild the templates
https://www.qubes-os.org/news/2019/01/23/qsb-46/
I don't think this should be in scope of this PR but something to consider for the beta
There was a problem hiding this comment.
My understanding is that thanks to this patch, upgrading the debian-9 template in-place on first boot of the workstation will handle the case appropriately. You're right that you should add logic to verify it's done, to guard against mistakes. Hopefully Qubes 4.0.2 will back in the latest apt version in the Debian templates, but no reason to expect that'll be in place by the beta.
There was a problem hiding this comment.
We opened issue #249 to track.
emkll
force-pushed
the
245-first-run-for-qubes-4.0.1
branch
from
31a1eea to
7bcf019
Compare
|
Just making a note that @emkll and I are able to see the same RPC policy error for |
The 4.0 -> 4.0.1 transition involved replacing spaces as separators with tabs as separators (which is more consistent with the other policy files). Tests must be updated accordingly.
|
Pushed up a small tweak to the GetDate tests, after conferring with @emkll. @creviera can you try again and see if you can reproduce the failing test? All tests are now passing for me locally. |
|
All tests pass 🎉 |
|
Thank you for the careful review, @creviera ! |
Ensures the docs are accurate as of Qubes 4.0.1. Ran through a clean install and fixed errors encountered during the provisioning process. Fortunately, much of the manual recommendations we'd made around EOL Fedora templates can now be removed from the README—although I expect we'll soon be forced to do the same for 29 -> 30 (Fedora-29 goes EOL ~ 2019-09).
Closes #245.
Closes #189.
Closes #191.
Testing
Ideally, perform a clean installation of Qubes 4.0.1 following these new docs! That's a large ask, though, so more practically, the following should work:
sd-dev(or other AppVM you use for development)make cleanto purge any old config.make allto provision all VMs, and confirm no errors.make testand confirm all passing.Assuming those steps go smoothly, take a moment to run
qvm-ls | grep fedoraand make sure the only references you see are tofedora-29. If you see other versions, you may want to clean up, e.g.And similar for any other versions of Fedora VMs you may have.