On 10/11/20 11:16 AM, Marek Marczykowski-Górecki wrote:
On Sat, Oct 10, 2020 at 09:50:00PM -0500, Andrew David Wong wrote:I still upgrade dom0 and templates the old-fashioned way, because I'm used to it, I understand it, and I already have custom scripts for daily maintenance that include these commands.Specifically, I mean these kinds of commands: `sudo qubes-dom0-update -y` in a dom0 terminal `dnf -y --refresh upgrade` in Fedora TemplateVM terminals `apt-get clean && apt-get -y update && apt-get -y dist-upgrade && apt-get -y autoremove && apt-get clean` in Debian-based TemplateVM terminals However, when I occasionally use the Qubes Update tool, I see that it creates a `disp-mgmt-*` DisposableVM for each VM it updates. This prompts me to wonder: Is updating with the Qubes Update tool more secure than my old-fashioned methods?Short answer: in some cases yes.Are certain operations performed within that DisposableVM in order to protect the TemplateVM?DisposableVM is used not to protect the TemplateVM, but to protect dom0 from potentially compromised TemplateVM. Salt stack is a complex piece of software and we do not trust it won't get compromised when interacting with compromised template. The benefit of using salt stack is not there (the usage of DisposableVM actually makes it more resource intensive and slower...). The good part is that in addition to perform standard update commands, we can apply other changes before/after the update. For example this is how we delivered APT fix for Debian templates in context of QSB#46. This is also how we updated onion version of repositories addresses when we switched them. Another benefit is to have a single command to update any template.
Ah, so if I understand correctly, it's not that using dnf and apt-get manually in the template is somehow less safe, but rather that I run the risk of missing out on occasional security actions performed via Salt beyond normal dnf and apt-get updates.
If so, then how should I invoke this new update method with a command like the ones above? Are there drop-in replacements that I can use in my scripts?The salt version of dom0 update is: sudo qubesctl state.sls update.qubes-dom0 And then for TemplateVM and StandaloneVM (all at once): sudo qubesctl --skip-dom0 --templates --standalones state.sls update.qubes-vm Useful options: --max-concurrency - limit how many templates are updated at the same time - adjust to available RAM (default 4, GUI updater sets it to 1) --targets=vm1,vm2,... - limit to specific VMs, instead of all the templates (use instead of --templates --standalones) --show-output - show update summary instead of just OK/FAIL For other options see qubesctl --help
Thanks for the great answer, Marek! I noticed that these commands don't show the actual output from dnf or apt-get. Is there a way to do that?
Also, does this have a way of notifying users when they need to restart dom0 after updates that require it (e.g., Xen, kernel)?
-- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/8d4197dd-b0f5-1d59-3af1-b1b47dbca9a1%40qubes-os.org.
OpenPGP_signature
Description: OpenPGP digital signature
