"Qubes Update" icon (Sun Looking icon on top right)

[22...@tutamail.com]

After a recent update to Dom0 an icon appeared on the top right. Been playing with it for a few weeks and I am struggling with the following:

1) It check for updates via sys-net even though I use sys-whonix for updates? I read some where there is a way to change this so it uses whonix which is more secure??
2) Most recent I used it to check my templates and it informed me "nothing to do", yet when I used the Qubes Manager to check/update I needed to update some templates? Not sure I can trust it to give accurate info...

Any thoughts or suggestions on how to use/configure this feature?

Thanks....

[799]

On Thu, 3 Jan 2019 at 22:57, <22...@tutamail.com> wrote:

After a recent update to Dom0 an icon appeared on the top right.

[...]

Any thoughts or suggestions on how to use/configure this feature?

I have also recognized some problems as the Update Icon keeps telling me that there are updates for some of my templates.

But when I launch the updates via "NEXT" I get the message under Details:

"SKIP (nothing to do)"

But the icon keeps telling me that Updates are available.

As this is something new, it seems to me that this was introduced via a dom0 update.

Maybe opening "Qubes Global Settings" and clicking on "Disable checking for updates for all Qubes" might be a temporary fix?

- O

[awokd]

799 wrote on 1/4/19 12:22 AM:

22rip, where did you see that Update icon always used sys-net? Doesn't
seem like it should, if your other settings point to sys-whonix.

[22...@tutamail.com]

I just had another Dom0 update today...just tried the "sun icon" again and the behaviour was a little different in that it launched my sys-whonix vm this time for an update.

Notes:
1) Prior to my dom0 update today, the "sun icon" had always given me a "nothing to do" with out ever starting sys-whonix (I don't start this VM with start-ups of Qubes)
2) I played with the sun icon again after the Dom0 update today and noticed that it just clocked after starting sys-whonix. When I update using the Qubes Manager I start my sys-whonix manually before I click on "update qubes" on my templates. I tried starting sys-whonix before I clicked on the "sun icon" process and it appeared to update my template..at least the down arrow in the state column of my qubes manager disappeared (fedora template was being updated)

When you say "settings point to sys-whonix" the only setting that point there are in Qubes Manager->System->Global Settings->Dom0). I believe I also changed to update my templates using sys-whonix when I installed whonix-14(quite sure this is the case as sys-whonix is launched when I update my templates).

Are there other settings I should point to sys-whonix...I'd like to keep all critical updates via sys-whonix?

I'll try the "sun icon" update process more and see if the behaviour changes...again the update to Dom0 today might have changed things...

[awokd]

22...@tutamail.com:

Interesting, thank you. That's a logical test; I'll try it too.

I only meant those two settings- qubes-prefs and templates. You can
double-check your template update settings in
/etc/qubes-rpc/policy/qubes.UpdatesProxy. You want target=sys-whonix on
everything, but note it's only first match that matters.

[22...@tutamail.com]

Just played around again with the sun icon, this time starting my whonix-gw template used for template updates prior, a couple of observations:

Seems to work fine when updating Debian and Fedora 29 templates, at least the messages I get in the details appear positive, listing the updates/changes, green check marks, etc....

However when I try to update my whonix14 templates (both -ws and -gw) I get what appears to be errors. I still don't know how to copy errors from Dom0 to an appvm but the errors end with:

File"/var...salt...futures import cancelledError
ImportError: No module named concurrent.futures
...

A little back ground on my Qubes...I started using Qubes out of an immediate need for security and have been backing in to how to use it over the last few years. I consider myself pretty good but I am still missing what appears to be basic skills.

How do I check:
/etc/qubes-rpc/policy/qubes.UpdatesProxy

Sorry to ask but can you explain in more detail?

Thanks again Qubes and all those contributing...I really appreciate it! I'll document what I can using this feature...

[awokd]

22...@tutamail.com wrote on 1/8/19 2:53 PM:

No apologies needed! More detail: go to a dom0 prompt (Qubes
menu/Terminal Emulator) then "cat" or "nano" that file. Not sure it's
formally documented somewhere, but if you want your updates to go
through Whonix, confirm the non-commented out lines (ones without a # at
the front) have target=sys-whonix instead of target=sys-net. You might
have the same lines with different targets, but it's only the first one
that matters.

"sudo qubesctl state.sls qvm.updates-via-whonix" should set your
templates to update over Whonix, if you see any problems in that file.
You can also edit it manually with "sudo nano
/etc/qubes-rpc/policy/qubes.UpdatesProxy", but copy it somewhere first
so you can revert if you mess up something.

I tested trying to Qubes Update a Debian template with sys-whonix
shutdown, and it failed quickly. Would have expected it to automatically
start sys-whonix like the other update procedures, but at least it
didn't seem to be using sys-net incorrectly! I'll try using it for -ws
or -gw next time. To copy text from dom0, follow item #1 or #3 here:
https://www.qubes-os.org/doc/copy-from-dom0/#copypaste-from-dom0.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Jan 08, 2019 at 06:53:03AM -0800, 22...@tutamail.com wrote:
> Just played around again with the sun icon, this time starting my whonix-gw template used for template updates prior, a couple of observations:
>
> Seems to work fine when updating Debian and Fedora 29 templates, at least the messages I get in the details appear positive, listing the updates/changes, green check marks, etc....
>
> However when I try to update my whonix14 templates (both -ws and -gw) I get what appears to be errors. I still don't know how to copy errors from Dom0 to an appvm but the errors end with:
>
> File"/var...salt...futures import cancelledError
> ImportError: No module named concurrent.futures
> ...

See here: https://github.com/QubesOS/qubes-issues/issues/4272

It shouldn't be an issue for new templates, but for older installs, you
need to install python-concurrent.futures manually there.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw3qQAACgkQ24/THMrX
1ywXmQgAgRKQFTZHK7yHUQ+PYBMnA3FxSnyljl+kv1kT3w8vnHTzMudmxNBczi6G
RwYH1FR7UqEfUxmITbaJOMJZuft3ag0zqnXfFCwPIHn1GPrmbg5EVZ254hqd/Rvq
UHLefaJCWjxO1P7bghAz5710D+/YpeGEKxnd2tXqYu9Nfdd+yoYKTzrgcfBbsy0t
0BElDQS8/kWnYHDx8fnn0Qijv2WUbM4B5LHvu192+mIcxAhya6zPUipbjiAHu3e5
9c4igObPZCMVhdRuyb4Ir9zs/FneuSTi8ZKKDGzZQIPdmK3GTrKNzy8m/yRqgRLi
23RikMqs7z1dieMfQqMPnjk9FzAlvw==
=4jRT
-----END PGP SIGNATURE-----

[22...@tutamail.com]

Just used this feature again...Debian-9, Fedora-29 and Dom0 updates(or lack of) went fine i.e. My Fedora templates seemed to update and no updates were needed for Dom0 or my Debian templates.

My Whonix-14-GW and -WS however did deliver an error that might be related to what you refer to Marek. The sun icon gives me the following error(abbreviated):

File "/var/tmp/.root_62a99a_salt....import salt.modules.cmdmod
File "/var/tmp/.root_62a99a_salt....import salt.util.http
File "/var/tmp/.root_62a99a_salt....import salt.util.events
....
...
ImportError: No module named concurrent...CancelledError
stdout:

I manually updated the whonix-gw and -ws using the Qubes Manager OK.

Any chance some one can share the commands to allow me to update using the "sun icon"? Its nice to check all templates for updates and have them run in the back ground one-by-one. I thought this would crash my system but worked pretty slick appart from the whonix-gw and -ws error I got...

Again thanks to all for the help! Marek you do good work!! awokd/799 thanks for your engagement...

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You need to install python-concurrent.futures package there. Open
terminal in whonix-gw (and -ws) and execute:

sudo apt install python-concurrent.futures

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7HMwACgkQ24/THMrX
1yxVWgf/WlABy9S2QcV8nlcNe82GoAjKqtxct7ZkwhSKzINrA0x/5nbJ9xcB2uEY
Lam73TDc3l4ma4PaG/EdfRyIbFgO3Yeus6tKe36xCtdZYpp5JHSWaEOXiEyLheRP
/hPizdgfyEV7iQXm8pM2oaV00r8nGyXH8P62br3wcbEXjd19bAtKPEKOrfhKHJh0
DodMoo0vzPlEm6fpirlQ/tZqrUk88yfLkAAPWNVTfUbgbE5Vl78w/wO1u0IVEXLF
stf/qzpkvsf7MXz8OYUd9+h2dqWLsvoqGiS0x26kW66BcsaXYKqyJUAQAdTstYDN
rU86N2eiuYUNQKT1ZdOA5AEZVrwaDw==
=vXOe
-----END PGP SIGNATURE-----

[22...@tutamail.com]

Worked like a charm!

Opened up "Konsole" in my whonix-14-gw and -ws templates

Ran this command:
sudo apt install python-concurrent.futures

I can now use the Sun/update icon to update my templates.

It seemes the benefits are:
Starts and stops each template automically, one at at a time
Can run the updates in the back ground with out manual intervention

Not sure there are other benefits but thanks again!!

Keep doing what you folks do!