Syncing qvm-features after installation of a qubes-core-admin addon?
5 views
Skip to first unread message
Aaron Rainbolt
Oct 24, 2025, 7:15:43 PM (3 days ago) Oct 24
to qubes...@googlegroups.com, adre...@whonix.org
There's probably a substantial Qubes R4.3 userbase that doesn't have
qubes-core-admin-addon-kicksecure installed yet. Anyone who installs
the kicksecure-18 template is going to get a deluge of notifications,
similar to the issue described in [1]. As a workaround, I documented
how to manually install qubes-core-admin-addon-kicksecure, restart
qubesd, and then re-sync qvm-features from the kicksecure-18 template
by source'ing all the scripts under /etc/qubes/post-install.d. [2]
This is workable, and most users will probably not run into this issue,
but is there possibly a way to work around this, so that when a user
installs qubes-core-admin-addon-kicksecure for the first time, the
appropriate features are automatically set? The only "correct" way I
can think of to do this would be to boot every single not-yet-booted
template, run all of its post-install.d scripts in the same shell, then
shut down the template if it wasn't booted at addon install time. That
sounds very painful though, and like something that should be avoided
if at all possible. The other option I can think of would be to scan
for templates with a name matching the regex "kicksecure-\d+" and
adding any necessary features to them, but that risks both false
positives and false negatives.
I don't think there's any good way around this, but I wanted to ask, in
case a solution better than the existing documentation is possible.
Thanks for your time :)
--
Aaron
[1] https://github.com/QubesOS/qubes-issues/issues/7447
[2] https://www.kicksecure.com/wiki/Qubes#Known_Issues
qubes-core-admin-addon-kicksecure installed yet. Anyone who installs
the kicksecure-18 template is going to get a deluge of notifications,
similar to the issue described in [1]. As a workaround, I documented
how to manually install qubes-core-admin-addon-kicksecure, restart
qubesd, and then re-sync qvm-features from the kicksecure-18 template
by source'ing all the scripts under /etc/qubes/post-install.d. [2]
This is workable, and most users will probably not run into this issue,
but is there possibly a way to work around this, so that when a user
installs qubes-core-admin-addon-kicksecure for the first time, the
appropriate features are automatically set? The only "correct" way I
can think of to do this would be to boot every single not-yet-booted
template, run all of its post-install.d scripts in the same shell, then
shut down the template if it wasn't booted at addon install time. That
sounds very painful though, and like something that should be avoided
if at all possible. The other option I can think of would be to scan
for templates with a name matching the regex "kicksecure-\d+" and
adding any necessary features to them, but that risks both false
positives and false negatives.
I don't think there's any good way around this, but I wanted to ask, in
case a solution better than the existing documentation is possible.
Thanks for your time :)
--
Aaron
[1] https://github.com/QubesOS/qubes-issues/issues/7447
[2] https://www.kicksecure.com/wiki/Qubes#Known_Issues
Marek Marczykowski-Górecki
Oct 24, 2025, 7:22:25 PM (3 days ago) Oct 24
to Aaron Rainbolt, qubes...@googlegroups.com, adre...@whonix.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Oct 24, 2025 at 06:15:24PM -0500, Aaron Rainbolt wrote:
> There's probably a substantial Qubes R4.3 userbase that doesn't have
> qubes-core-admin-addon-kicksecure installed yet. Anyone who installs
> the kicksecure-18 template is going to get a deluge of notifications,
> similar to the issue described in [1]. As a workaround, I documented
> how to manually install qubes-core-admin-addon-kicksecure, restart
> qubesd, and then re-sync qvm-features from the kicksecure-18 template
> by source'ing all the scripts under /etc/qubes/post-install.d. [2]
>
> This is workable, and most users will probably not run into this issue,
> but is there possibly a way to work around this, so that when a user
> installs qubes-core-admin-addon-kicksecure for the first time, the
> appropriate features are automatically set? The only "correct" way I
> can think of to do this would be to boot every single not-yet-booted
> template, run all of its post-install.d scripts in the same shell, then
> shut down the template if it wasn't booted at addon install time. That
> sounds very painful though, and like something that should be avoided
> if at all possible. The other option I can think of would be to scan
> for templates with a name matching the regex "kicksecure-\d+" and
> adding any necessary features to them, but that risks both false
> positives and false negatives.
The qubes-core-admin-addon-kicksecure package will get automatically
installed[1]. And template's post-install scripts will run at the next
template update. So, _if_ user runs into this issue, they simply need to
apply updates, no need to manually call any scripts.
[1] https://github.com/QubesOS/qubes-core-admin/commit/460b40c9
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmj8CisACgkQ24/THMrX
1yxAJQf+PksW1kD3NQ/n7JPefczU+L9FKWjpiG7JlEwLgnKcgL9Bh9I2NfZUa5OE
H+xHWiiw21MRFQd1g6mCoRubrigVkTwqyj+4pHdRugCHoXBXKBh0irESCP1N9/xu
V43PXmuVT1QFINIeJ5j2BDdoy/svey9KbWNBg5LW2rSThhmRxdz1HF0RStAf2Nny
ESmIPjf9cyFwpxMyhHwqv9x9y7amMc1UUdMNgCcTm7NWFuJJFSMcL4nYyVF1XvJP
2cVdzKiHqWURDxZ60jwPdB71L9nKRGmRxWakA+/IBAFBT76C29OXEt5UOwwYreRf
TImcOPpFXUZKiMxrEDjsw+R7YvSj0A==
=7DYI
-----END PGP SIGNATURE-----
Hash: SHA256
On Fri, Oct 24, 2025 at 06:15:24PM -0500, Aaron Rainbolt wrote:
> There's probably a substantial Qubes R4.3 userbase that doesn't have
> qubes-core-admin-addon-kicksecure installed yet. Anyone who installs
> the kicksecure-18 template is going to get a deluge of notifications,
> similar to the issue described in [1]. As a workaround, I documented
> how to manually install qubes-core-admin-addon-kicksecure, restart
> qubesd, and then re-sync qvm-features from the kicksecure-18 template
> by source'ing all the scripts under /etc/qubes/post-install.d. [2]
>
> This is workable, and most users will probably not run into this issue,
> but is there possibly a way to work around this, so that when a user
> installs qubes-core-admin-addon-kicksecure for the first time, the
> appropriate features are automatically set? The only "correct" way I
> can think of to do this would be to boot every single not-yet-booted
> template, run all of its post-install.d scripts in the same shell, then
> shut down the template if it wasn't booted at addon install time. That
> sounds very painful though, and like something that should be avoided
> if at all possible. The other option I can think of would be to scan
> for templates with a name matching the regex "kicksecure-\d+" and
> adding any necessary features to them, but that risks both false
> positives and false negatives.
installed[1]. And template's post-install scripts will run at the next
template update. So, _if_ user runs into this issue, they simply need to
apply updates, no need to manually call any scripts.
[1] https://github.com/QubesOS/qubes-core-admin/commit/460b40c9
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmj8CisACgkQ24/THMrX
1yxAJQf+PksW1kD3NQ/n7JPefczU+L9FKWjpiG7JlEwLgnKcgL9Bh9I2NfZUa5OE
H+xHWiiw21MRFQd1g6mCoRubrigVkTwqyj+4pHdRugCHoXBXKBh0irESCP1N9/xu
V43PXmuVT1QFINIeJ5j2BDdoy/svey9KbWNBg5LW2rSThhmRxdz1HF0RStAf2Nny
ESmIPjf9cyFwpxMyhHwqv9x9y7amMc1UUdMNgCcTm7NWFuJJFSMcL4nYyVF1XvJP
2cVdzKiHqWURDxZ60jwPdB71L9nKRGmRxWakA+/IBAFBT76C29OXEt5UOwwYreRf
TImcOPpFXUZKiMxrEDjsw+R7YvSj0A==
=7DYI
-----END PGP SIGNATURE-----
Aaron Rainbolt
Oct 25, 2025, 9:58:55 PM (2 days ago) Oct 25
to Marek Marczykowski-Górecki, qubes...@googlegroups.com, adre...@whonix.org
installed from an earlier rc ISO. In that instance the chances of this
happening are pretty slim (I previously thought everyone who installed
from an rc1 or rc2 ISO was going to run into this).
> And template's post-install scripts will run at the next template
> update. So, _if_ user runs into this issue, they simply need to apply
> updates, no need to manually call any scripts.
problem and just updating isn't enough (i.e. if they somehow installed
all updates in the Kicksecure template before
qubes-core-admin-addon-kicksecure got installed or before qubesd was
restarted), but the number of users who will hit that edge case are
probably near zero. So never mind on my initial request, there probably
isn't anything additional worth doing here.
--
Aaron
Reply all
Reply to author
Forward
0 new messages