Upgrade guide from 4.0 to latest recommended build
John Smiley
There are a lot of upgrades to be applied: firefox and whonix being the top two. I've tried both upgrade orders (firefox then whonix as well as whonix then firefox). I also usually include a qubues-dom0-update. I also typically like to go with fresh template installs rather than upgrades, although I've tried both and still ran into issues.
Is there a tried and true path?
John Smiley
Would some hardware details help?
Gigabyte X299 Aorus Gaming 3 mobo
All firmware and BIOS at latest releases
Intel Core i7-7820X CPU
32GB RAM
2 x NVMe 512GB drives (another Linux, usually Ubuntu 18.x installed on one of these, leaving one free for Qubes)
1 x SSD 512GB drive (Windows 10 installed here)
TPM 2.0 hardware-based module
1 x 4K display
1 x 3K display
1 x Nvidia 1080 Ti (I built this rig for gaming and then they stopped making good PC games - at least for my generation - I think I've aged out of all gaming demographics)
I have to believe that my problems with 4.0.1-rc are somehow related to my hardware being a bit unusual for a Qubes box. It can't be as broken for everyone as it is for me.
unman
testing repositories and installing the packages from there. But remember
this is currently a testing release - it is NOT "the latest recommended build".
If you want that, stay with 4.0 and install updates from the current
Qubes repository.
If you do want to test 4.0.1rc1, then enable the testing repositories in
dom0, update package lists and install latest packages.
If you are installing fresh templates remember to also enable Qubes testing
repositories in the templates and upgrade them also, to avoid friction
between the 4.0 packages in the templates and the 4.0.1 in dom0.
Normal distro updates can just be applied.
It isn't clear to me in what way 4.0.1 is broken for you. You've
reported one issue about Whonix - it should be clear that there are a
number of issues with Whonix in 4.0 and in 4.0.1. If you encounter a
problem using Whonix make sure that it doesn't apply in the Debian
templates, and report it as a Whonix specific issue, or use this mailing
list for help.
I don't think here's anything in your hardware that strikes me as off,
although you may find issues with the Nvidia and 4k - see on this list
for other user's experiences. Allocating more memory to the individual
qubes seems to help with external displays.
22...@tutamail.com
I'll take a shot at helping but would defer to Unman who has helped me out a lot, both directly and indirectly on this forum.
Some notes:
Been using 3.2 and 4.0 only...haven't tried 4.0.1
No an expert but have having been hacking my way thru Qubes to make it my primary
I loaded 4.0, however during the setup I did not add the default whonix template(v13 I think) to my system as the default whonix needs to be removed in order to upgrade to 14. This option is chosen when loading Qubes for the first time.
I immediately update Dom0 using a VPN connection thru my network
After installing Qubes 4.0, I immediately install whonix-14 following these instructions: https://www.whonix.org/wiki/Qubes/Install
All updates going forward are done thru whonix-14-GW.........
When you say upgrading Firefox are you just updating Firefox or the whole template...I don't just upgrade Firefox, I update the whole template i.e. I update Debian and Fedora and this updates Firefox in the template and the appvm's associated with the template. Make sure you are aware of the template/appvm relationship...you don't update the appvm(e.g. sys-whonix), you update the template(whonix-gw) which is the source for the appvm(sys-whonix).
Other best practices I follow:
*Fresh templates seems to be the advice(vs upgrading)
*Whonix-gw is a key template to update as all my updates are done thru this template/appvms
* Get a VPN appvm setup as a priority
* Clone you templates and experiment on the clones, this way you can resort back to your clean template WHEN you F%$# it up (Not IF...you will at some point mess one up)
Good luck, hope this helps...
22...@tutamail.com
John,
I'll take a shot at helping but would defer to Unman who has helped me out a lot, both directly and indirectly on this forum.
Some notes:
Been using 3.2 and 4.0 only...haven't tried 4.0.1
Not an expert but have having been using Qubes as my primary for over a year.
I loaded 4.0, however during the setup I did not add the default whonix template(v13 I think) to my system as the default whonix needs to be removed in order to upgrade to whonix-14. This option is chosen when loading Qubes for the first time.
I immediately update Dom0 using a VPN connection thru my network
After installing Qubes 4.0, I immediately install the whonix-14 template following these instructions: https://www.whonix.org/wiki/Qubes/Install
All updates going forward are done thru sys-whonix-14-GW.........
When you say upgrading Firefox are you just updating Firefox or the whole template...I don't just upgrade Firefox, I update the whole template i.e. I update the Debian template and the Fedora template and this updates Firefox in the template and the appvm's associated with the templates. Make sure you are aware of the template/appvm relationship...you don't update the appvm(e.g. sys-whonix), you update the template(whonix-gw) which is the source for the appvm(sys-whonix).
Other best practices I follow:
*Fresh templates seems to be the advice(vs upgrading)
*Whonix-gw template is a key template to update as all my updates are done thru this template/appvms
* Get a VPN appvm setup as a priority
* Clone your templates and experiment on the clones, this way you can resort back to your clean template WHEN you F%$# it up (Not IF...you will at some point mess one up)
John Smiley
Thank you @tutamail. This is more like what I was looking for. I've tried most of what you recommend, but not everything. I'll re-install 4.0 and give your suggestions a try.
I appreciate the other replies as well. Sorry if I wasn't clear. I only tried 4.0.1-rc1 out of desperation. What I want is the latest production 4.0 platform. Most operating systems have a simple process by which you are informed of packages that are out of date and are offered an opportunity to upgrade them to the most recent version supported by the distributor. It would be great if Qubes had something like that. Perhaps someday it will. In the meantime, there ought to be a document that clearly explains how to go from a fresh install to the most recent Qubes-supported version of every package installed in each template and dom0. It would be even nicer if there were a nightly/weekly build of the same packages used in a fresh install, but all updated to the latest supported version so that we could simply download and install that and know that we have all of the most recent patches and upgrades.
John Smiley
I can hear some of you now saying that if I want these things then get up off my lazy ass and build them. If I weren't fully (some would say overyly) employed with nothing but free time on my hands, I still wouldn't do that because I have other interests. I'm the consumer here. Some of you seem to forget that. This is feeback coming from a customer. Treat it as such.
I'm also not a Linux newbie. I'm not stumbling around trying to figure out where the power button is. I've used, installed, and upgraded various forms of Linux for years. My point is I know a lot more than most about Linux and virtualization and I'm having lots of issues with Qubes. I fully expect to spend many hours learning how Qubes works and how I can make the best use of it. I should not have to spend many hours simply getting it installed and updated. I don't think it's too big of an ask to have this spelled out well enough that someone experienced with Linux, but fresh to Qubes, can follow it and have be confident that the many security and other fixes described so well in your announcements are fixed/patched. Perhaps the problems I'm experiencing are unusual. I've been told that my hardware isn't all that peculiar for Qubes, so this should be a cake walk.
unman
available , and enables you to update them. If you open the Qube manager
you will see an indicator of when updates are available, and can R-click
to select "update qube".
If you don't use the Qube manager, then you can just run "sudo
qubes-dom0-update" periodically to check for and install updates in
dom0, and 'apt update' as you will.
I use salt to update all my templates with a single command, but other
users have python/bash scripts to iterate over templates.
There's also an update widget on the way.
There are already docs about updating dom0 and templates:
www.qubes-os.org/doc/software-update-dom0
www.qubes-os.org/doc/software-update-vm
These give a fairly detailed guide. If you think they need clarification
please suggest changes in a PR.
The latest versions of packages are in the current repository after
spending some time in testing. There really isn't any need for nightly
builds, I think. If you keep your dom0 updated then it will transition
to 4.0.1. (Many users seem to find this hard to grasp.)
unman
participant/consumers, although I dont believe any of us are customers - you're not.
But your feedback is valued.
It would be *more* helpful if you gave some details about what issues you
have experienced, what you have tried, and what problems you still have.
When you reinstall 4.0 , if you hit problems just drop a line to this
list: there are many people who will try to help.
John Smiley
I've noticed and tried the update notices in QM. I wasn't sure if that was the same as using the shortcuts and/or os package manager. I've tried both and had issues with both.
> If you don't use the Qube manager, then you can just run "sudo
> qubes-dom0-update" periodically to check for and install updates in
> dom0, and 'apt update' as you will.
I generally do include qubes-dom0-update as either the first step after a fresh install or right after installing fedora-28. Oddly, the first section of the doc on installing and updating software in dom0 https://www.qubes-os.org/doc/software-update-dom0/ reads like a warning not to do it unless you have a specific reason (and then goes on to list some of those reasons), so at first didn't run qubes-dom0-update. It was only after I started reading some of the Xen security patch announcements that I started including this as a mandatory early step after a fresh install.
>
> I use salt to update all my templates with a single command, but other
> users have python/bash scripts to iterate over templates.
Interesting. I'm not familiar with this at all. I'll see what I can find out with some searching.
>
> There's also an update widget on the way.
>
> There are already docs about updating dom0 and templates:
> www.qubes-os.org/doc/software-update-dom0
> www.qubes-os.org/doc/software-update-vm
> These give a fairly detailed guide. If you think they need clarification
> please suggest changes in a PR.
>
> The latest versions of packages are in the current repository after
> spending some time in testing. There really isn't any need for nightly
> builds, I think. If you keep your dom0 updated then it will transition
> to 4.0.1. (Many users seem to find this hard to grasp.)
Thanks for pointing this out. So once 4.0.1 goes GA, a 4.0 system will automatically upgrade itself to 4.0.1 via qubes-dom0-update?
John Smiley
Your quick responses are greatly appreciated. I just re-installed 4.0 and will make detailed notes of any issues I can't work through on my own.
Customer or not? Well it's a free OS (not sure how you guys stay in business), so do we become customers by installing and using it? Does Facebook consider their users customers? More generally, if you don't pay for something, does that disqualify you from being considered a customer? I'm not sure it matters in this case. You are trying to help in spite of my snarkiness (which I will try to tone down) and that's what matters.
unman
unman
that good as an introduction, and needs more work.
There is a reasonable discussion on github with different approaches.
>
> >
> > There's also an update widget on the way.
> >
> > There are already docs about updating dom0 and templates:
> > www.qubes-os.org/doc/software-update-dom0
> > www.qubes-os.org/doc/software-update-vm
> > These give a fairly detailed guide. If you think they need clarification
> > please suggest changes in a PR.
> >
> > The latest versions of packages are in the current repository after
> > spending some time in testing. There really isn't any need for nightly
> > builds, I think. If you keep your dom0 updated then it will transition
> > to 4.0.1. (Many users seem to find this hard to grasp.)
>
> Thanks for pointing this out. So once 4.0.1 goes GA, a 4.0 system will automatically upgrade itself to 4.0.1 via qubes-dom0-update?
>
the templates though - I mean that 4 shipped with jessie as Debian
template and that isn't updated with qubes-dom0-update. You need to
separately install a stretch template, or dist-upgrade the jessie.)
John Smiley
I just donated $100 (+$14 to cover the cost of using a card) to Qubes to assuage my guilty conscience over giving you guys a hard time.
unman
John Smiley
And you guys probably thought I just couldn't follow directions:
https://github.com/QubesOS/qubes-issues/issues/4628
I'll put together a doc describing exactly how to go from 4.0 fresh install to latest GA build once we've sorted everything out. It will probably be obsolete before I finish it, but at least the next poor slob who starts from the ISO won't have to thrash about quite as much as I did.
unman
will be very useful too.
Have you hit any problems using Fedora templates? From your install
notes it looks as if they are working fine, but I'm not absolutely sure.