Weird dnf update command behavior on fedora-29 template

82 views
Skip to first unread message

Sphere

unread,
Feb 26, 2019, 9:54:15 PM2/26/19
to qubes-users
It started happening just today
Executing sudo dnf update command on my fedora-29 template forcefully makes my sys-net start

But thing is, I'm no longer using sys-net template as my net vm and this caused me to triple check my settings and my update VM is showed correctly as I had intended = a VM designed to securely process DNS queries that is attached to sys-firewall

Despite this, the behavior continues, even if I kill and/or halt my fedora-29 template and I have no clue as to why this happens it's like something is forcing it to use sys-net in an attempt to get through my secure processing of DNS queries

I also double checked that the template has no assigned net vm as intended according to how Qubes was designed and it's also set properly to 'none'

It's absolutely persistent to the point that I ended up deleting my sys-net template and now the sudo dnf update command abruptly ends with "Error: Failed to synchronize cache for repo 'fedora-modular'"

Can anyone help me with the logs to check/commands to use in diagnosing this problem properly?

unman

unread,
Feb 27, 2019, 7:30:53 AM2/27/19
to qubes-users
This is expected. Not a problem.
When you run dnf update , Qubes will start the update VM that you have
set.
As with any qube, if that has a netvm then it will start *that*, etc etc,
right up to sys-net.
If it didn't start a network connection, then you would get an update
error (as indeed you have).

Sphere

unread,
Feb 27, 2019, 7:51:21 PM2/27/19
to qubes-users

Sorry if I wasn't clear in some way that may have caused this confusion. I should've kept it short and simple:

"I'm no longer using sys-net template as my net vm"

my update VM has internet connection in it, I even did a ping to google

Structure is:
update VM -> Firewall VM -> Net VM(not sys-net)

Which means dnf update should work as expected

But instead what happens is

dnf update execution -> starting sys-net

Making it seem like my sys-net has been set as the updateVM for my fedora-29 template

I haven't tried updating my other templates yet but performing a "qubes-dom0-update" works properly as intended and is using updateVM properly

awokd

unread,
Feb 27, 2019, 10:57:22 PM2/27/19
to qubes...@googlegroups.com
Sphere:

> Making it seem like my sys-net has been set as the updateVM for my fedora-29 template
>
> I haven't tried updating my other templates yet but performing a "qubes-dom0-update" works properly as intended and is using updateVM properly
>
Double check targets in /etc/qubes-rpc/policy/qubes.UpdatesProxy.

Sphere

unread,
Feb 28, 2019, 4:04:52 AM2/28/19
to qubes-users

Thank you very much for that
I checked the file and I found:

# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow, target=sys-net

(facepalm)
Does this mean that the updateVM that I assigned was meaningless after all this time? OTL

awokd

unread,
Feb 28, 2019, 2:54:12 PM2/28/19
to qubes...@googlegroups.com
Sphere:
Not completely. The updateVM setting applies for dom0 updates but to
also have your templates update via your new template you want to also
change the target= line in there.

Sphere

unread,
Feb 28, 2019, 8:27:03 PM2/28/19
to qubes-users

Ah that's a relief to hear
While I did understand what those pieces of code meant I at least wanted confirmation from someone else
Guess I'll go try to redownload my templates just to be sure

Reply all
Reply to author
Forward
0 new messages