Recommendations for Manual/Automated Updates
38 views
Skip to first unread message
ryan....@gmail.com
Jun 24, 2016, 3:40:01 PM6/24/16
to qubes-users
Hello,
(I'm very new to Qubes, and while I love the concept and clean interfaces, I find the lack of documentation (well really, google content) to be the weakest point. Apologies if there are documents out there I didn't find.)
==== The Questions ====
Q1) Practically speaking, how often should we be updating dom0? (I'm guessing no automation is available or recommended at this time.)
Here's the guide to the mechanics I found: https://www.qubes-os.org/doc/software-update-dom0/
Q2) How should we handle updates to VM templates?
Q2.1) What is the "fedora-23: Package Updater" tool for? It simply reports "All packages up to date", even though there are many dnf updates pending.
Q2.2) Is there a recommended method of automating updates to template VMs?
I can script something, but figured it would exist.
Q2.3) If you do automate updates to the template VMs, do you find yourself applying updates to the template and then rebooting... every day? Seems a little painful.
Andrew David Wong
Jun 24, 2016, 9:10:40 PM6/24/16
to ryan....@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-24 12:40, ryan....@gmail.com wrote:
> Hello,
>
> (I'm very new to Qubes, and while I love the concept and clean
> interfaces, I find the lack of documentation (well really, google
> content) to be the weakest point. Apologies if there are documents
> out there I didn't find.)
>
The documentation is predominantly just a volunteer effort right now.
However, you can usually find a lot of useful information by searching
the mailing lists.
> ==== The Questions ====
>
> Q1) Practically speaking, how often should we be updating dom0?
> (I'm guessing no automation is available or recommended at this
> time.)
>
I wouldn't recommend automating dom0 updates, but *checking* for dom0
updates is automatic by default. I would recommend updating dom0
whenever there are updates available (which currently is not very
often). This is mainly because it's important to have timely security
updates. Other users prefer to delay dom0 updates for the sake of
system stability, which is understandable. It can be a controversial
topic, and you probably have to make your own decision based on your
use case and threat model.
> Here's the guide to the mechanics I found:
> https://www.qubes-os.org/doc/software-update-dom0/
>
> Q2) How should we handle updates to VM templates?
>
> Q2.1) What is the "fedora-23: Package Updater" tool for? It simply
> reports "All packages up to date", even though there are many dnf
> updates pending.
>
The recommend way to update templates is either through Qubes Manager
or through the command line in each template. (I'm not personally
familiar with the Package Updater tools, but given your report about
the Package Updater, I would recommend using dnf instead of it.)
> Q2.2) Is there a recommended method of automating updates to
> template VMs?
>
> I can script something, but figured it would exist.
>
There is no built-in method of automating template updates. You can
script something yourself, or you can use/adapt one of the scripts
other users (including myself) have shared in this thread (and other
past threads):
https://groups.google.com/d/topic/qubes-users/UG1OiPXWrhs/discussion
> Q2.3) If you do automate updates to the template VMs, do you find
> yourself applying updates to the template and then rebooting...
> every day? Seems a little painful.
>
Personally, I have a cron job in dom0 that updates my templates
multiple times a day (using the script I shared in the thread linked
above). But I don't restart every AppVM every day to apply these
updates. As you said, that would be too painful. Rather, I restart
them based on the situation and my security needs at the time. For
example, I might leave my "untrusted" VM running without restarting it
for several days at a time (because it's already untrusted), but I
might restart my "banking" VM each time before I log in to my bank's
website. (In practice, my "banking" VM is usually already off, so I
just start it up, and it just automatically inherits the
freshly-updated TemplateVM's root filesystem.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXbdoIAAoJENtN07w5UDAw6VEP/iSmZ0ZEmq3luNUqAx1SzbTa
f9lEQqpFu7/SaPwTUNYzJh8odhEw5UYpSsTYEjDc6K5GBt2FFI5I7awKKTCk5tUu
nW2WTI7bTMFDSI99HgbvtH8RC/nc+9cKWTCslJu35qIPbiuZVv6+QycElUKDldOd
8+aDxS4Dfu/u0GGQAY6zD5lLcMeY2DTFa8qM7JfXlvPlHCwsLbZ1UMy0cMNyZzu4
I7r4w4FhDCFXNB9jUMUoSZeDOgYyDJ0qizAPeNeogYLSC/p835bEvTGgmFDnQ8/o
62ydQONdLRoaArVOl2NbciFAvIUh+GcGaqK8yycYcpavHj5dv3O14Jt9zYWeTGly
fhMLaMoC2v2mENe9ch9iGvvZCCqrXy1YVX2/ZCM78uzxseua7pVXr5QEbbC7eTPg
CAuK7IKhk09V6iLBJslI7Rwsv4QmfPAA2uq/6SX++mODl+x5yZzShCs/9ZPbv31v
1Zp+pTMkm+z/RAMJpwIprh3RRaBl+TnZhx/k0D8MfLbFOwL1rBb0/BxPQxdXZyyJ
Xw7q8OSsrnkZs/fCMQqE9Z/C458F+ZzV/3gfKZjTNdg8mt4nm+JEJhpzaV0SYXwB
De6Wwba1Q99riFe+FICWy1pWCHTqX57OV1ahi7A/qiEdjkwMnqg+hT3EFpaVaRc4
rriiGhSR5/lE2OKEK7WF
=KAMm
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-06-24 12:40, ryan....@gmail.com wrote:
> Hello,
>
> (I'm very new to Qubes, and while I love the concept and clean
> interfaces, I find the lack of documentation (well really, google
> content) to be the weakest point. Apologies if there are documents
> out there I didn't find.)
>
However, you can usually find a lot of useful information by searching
the mailing lists.
> ==== The Questions ====
>
> Q1) Practically speaking, how often should we be updating dom0?
> (I'm guessing no automation is available or recommended at this
> time.)
>
updates is automatic by default. I would recommend updating dom0
whenever there are updates available (which currently is not very
often). This is mainly because it's important to have timely security
updates. Other users prefer to delay dom0 updates for the sake of
system stability, which is understandable. It can be a controversial
topic, and you probably have to make your own decision based on your
use case and threat model.
> Here's the guide to the mechanics I found:
> https://www.qubes-os.org/doc/software-update-dom0/
>
> Q2) How should we handle updates to VM templates?
>
> Q2.1) What is the "fedora-23: Package Updater" tool for? It simply
> reports "All packages up to date", even though there are many dnf
> updates pending.
>
or through the command line in each template. (I'm not personally
familiar with the Package Updater tools, but given your report about
the Package Updater, I would recommend using dnf instead of it.)
> Q2.2) Is there a recommended method of automating updates to
> template VMs?
>
> I can script something, but figured it would exist.
>
script something yourself, or you can use/adapt one of the scripts
other users (including myself) have shared in this thread (and other
past threads):
https://groups.google.com/d/topic/qubes-users/UG1OiPXWrhs/discussion
> Q2.3) If you do automate updates to the template VMs, do you find
> yourself applying updates to the template and then rebooting...
> every day? Seems a little painful.
>
multiple times a day (using the script I shared in the thread linked
above). But I don't restart every AppVM every day to apply these
updates. As you said, that would be too painful. Rather, I restart
them based on the situation and my security needs at the time. For
example, I might leave my "untrusted" VM running without restarting it
for several days at a time (because it's already untrusted), but I
might restart my "banking" VM each time before I log in to my bank's
website. (In practice, my "banking" VM is usually already off, so I
just start it up, and it just automatically inherits the
freshly-updated TemplateVM's root filesystem.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXbdoIAAoJENtN07w5UDAw6VEP/iSmZ0ZEmq3luNUqAx1SzbTa
f9lEQqpFu7/SaPwTUNYzJh8odhEw5UYpSsTYEjDc6K5GBt2FFI5I7awKKTCk5tUu
nW2WTI7bTMFDSI99HgbvtH8RC/nc+9cKWTCslJu35qIPbiuZVv6+QycElUKDldOd
8+aDxS4Dfu/u0GGQAY6zD5lLcMeY2DTFa8qM7JfXlvPlHCwsLbZ1UMy0cMNyZzu4
I7r4w4FhDCFXNB9jUMUoSZeDOgYyDJ0qizAPeNeogYLSC/p835bEvTGgmFDnQ8/o
62ydQONdLRoaArVOl2NbciFAvIUh+GcGaqK8yycYcpavHj5dv3O14Jt9zYWeTGly
fhMLaMoC2v2mENe9ch9iGvvZCCqrXy1YVX2/ZCM78uzxseua7pVXr5QEbbC7eTPg
CAuK7IKhk09V6iLBJslI7Rwsv4QmfPAA2uq/6SX++mODl+x5yZzShCs/9ZPbv31v
1Zp+pTMkm+z/RAMJpwIprh3RRaBl+TnZhx/k0D8MfLbFOwL1rBb0/BxPQxdXZyyJ
Xw7q8OSsrnkZs/fCMQqE9Z/C458F+ZzV/3gfKZjTNdg8mt4nm+JEJhpzaV0SYXwB
De6Wwba1Q99riFe+FICWy1pWCHTqX57OV1ahi7A/qiEdjkwMnqg+hT3EFpaVaRc4
rriiGhSR5/lE2OKEK7WF
=KAMm
-----END PGP SIGNATURE-----
ryan....@gmail.com
Jun 24, 2016, 11:16:15 PM6/24/16
to qubes-users
Great, concise responses. Thank you.
Reply all
Reply to author
Forward
0 new messages