why do fedora templates always start sys-whonix on update

27 views
Skip to first unread message

0spin...@gmail.com

unread,
Aug 15, 2020, 6:01:06 AM8/15/20
to qubes-users
anyone have a clue why this is, and whether it can be disabled? It happens regardless of whether I have a netvm set for the template, and I have 0 tor mirrors enabled afaict.

Qubes

unread,
Aug 15, 2020, 7:03:31 AM8/15/20
to qubes...@googlegroups.com
It is normal [behavior], Qubes uses a proxy service for updates.

[behavior] https://www.qubes-os.org/doc/software-update-domu/#updates-proxy

0spin...@gmail.com

unread,
Aug 15, 2020, 7:09:32 AM8/15/20
to qubes-users
On Saturday, August 15, 2020 at 1:03:31 PM UTC+2 Qubes wrote:
On 8/15/20 12:01 PM,  wrote:
> anyone have a clue why this is, and whether it can be disabled? It happens
> regardless of whether I have a netvm set for the template, and I have 0 tor
> mirrors enabled afaict.
>
It is normal [behavior], Qubes uses a proxy service for updates.

[behavior] https://www.qubes-os.org/doc/software-update-domu/#updates-proxy

yet this says: # any VM with tag `whonix-updatevm` should use `sys-whonix`; this tag is added to `whonix-gw` and `whonix-ws` during installation and is preserved during template clone
fedora-32-xfce has nothing to do with whonix-gw or ws, so why has it received this tag, and how can I remove it? qvm-prefs help doesn't say.

Qubes

unread,
Aug 15, 2020, 7:18:24 AM8/15/20
to qubes...@googlegroups.com
Why would you want to remove it? It is the mechanism that is used to
install both software and update in your template.

It is only a setting to tell your templateVM where to get
updates/software from and over which connection updates/software should
be retrieved.

0spin...@gmail.com

unread,
Aug 15, 2020, 7:26:34 AM8/15/20
to qubes-users
mainly because fedora updates are always so very slow (200-400kbps), while debian isn't.

unman

unread,
Aug 15, 2020, 9:23:12 AM8/15/20
to qubes-users
On Sat, Aug 15, 2020 at 04:26:34AM -0700, 0spin...@gmail.com wrote:
> mainly because fedora updates are always so very slow (200-400kbps), while
> debian isn't.
>

The proxy is configured at /etc/qubes-rpc/policy/qubes.UpdatesProxy
You want a line at the top of the file that says (e.g):
fedora-32 $default allow,target=sys-net

Templates have no networking, (by default), and you should keep it that
way to avoid mistakes.
To enable them to install software and update, there is a proxy
mechanism that listens on port 8082 and connects to a download proxy.
This is all normal.

On your system you probably opted to install updates via Tor, so the
default proxy setting is to use the Whonix system. Editing the policy
file will change that.

unman
Reply all
Reply to author
Forward
0 new messages