Re: [EXT] Re: [qubes-users] qubes-dom0-update (https://github.com/QubesOS/qubes-issues/issues/6581)

Wed, 26 May 2021 09:33:10 -0700 

On 5/26/21 5:23 PM, unman wrote:

On Wed, May 26, 2021 at 04:22:39PM +0200, Ulrich Windl wrote:

Hi!

I know that the issue is marked fixed already, but I wonder if there should
have been some more popular notice for this surprising change in the update
mechanism.

Today I saw there (before installing updates):
[master@dom0 ~]$ sudo qubes-dom0-update
Using sys-firewall as UpdateVM to download updates for Dom0; this may take
some time...
warning: Converting database from bdb to sqlite backend
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Warning: Enforcing GPG signature check globally as per active RPM security
policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)

Today's updates were:
pm-plugin-systemd-inhibit-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM
CEST
rpm-plugin-selinux-4.14.2.1-5.fc25.x86_64     Wed 26 May 2021 03:34:19 PM
CEST
qubes-rpm-oxide-0.2.2-1.fc25.x86_64           Wed 26 May 2021 03:34:19 PM
CEST
qubes-mgmt-salt-dom0-4.0.25-1.fc25.noarch     Wed 26 May 2021 03:34:19 PM
CEST
qubes-core-dom0-linux-kernel-install-4.0.30-1.fc25.x86_64 Wed 26 May 2021
03:34:19 PM CEST
qubes-core-dom0-linux-4.0.30-1.fc25.x86_64    Wed 26 May 2021 03:34:19 PM
CEST
python3-rpm-4.14.2.1-5.fc25.x86_64            Wed 26 May 2021 03:34:19 PM
CEST
python2-rpm-4.14.2.1-5.fc25.x86_64            Wed 26 May 2021 03:34:19 PM
CEST
rpm-sign-libs-4.14.2.1-5.fc25.x86_64          Wed 26 May 2021 03:34:12 PM
CEST
rpm-libs-4.14.2.1-5.fc25.x86_64               Wed 26 May 2021 03:34:12 PM
CEST
rpm-build-libs-4.14.2.1-5.fc25.x86_64         Wed 26 May 2021 03:34:12 PM
CEST
rpm-4.14.2.1-5.fc25.x86_64                    Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-config-4.0.25-1.fc25.noarch   Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-base-config-4.0.2-1.fc25.noarch Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-base-4.0.4-1.fc25.noarch      Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-admin-tools-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-4.0.25-1.fc25.noarch          Wed 26 May 2021 03:34:12 PM
CEST

When re-trying after those updates, (most of) the message is still there:
Using sys-firewall as UpdateVM to download updates for Dom0; this may take
some time...
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Warning: Enforcing GPG signature check globally as per active RPM security
policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Last metadata expiration check: 0:41:44 ago on Wed May 26 15:33:47 2021.
Dependencies resolved.
=========================================================================================
  Package                                Arch    Version Repository
Size
=========================================================================================
Upgrading:
  python2-rpm                            x86_64  4.14.2.1-5.fc25
qubes-dom0-current  118 k
  python3-rpm                            x86_64  4.14.2.1-5.fc25
qubes-dom0-current  118 k
  qubes-core-dom0-linux                  x86_64  4.0.30-1.fc25
qubes-dom0-current   54 k
  qubes-core-dom0-linux-kernel-install   x86_64  4.0.30-1.fc25
qubes-dom0-current   14 k
  qubes-mgmt-salt                        noarch  4.0.25-1.fc25
qubes-dom0-current   11 k
  qubes-mgmt-salt-admin-tools            noarch  4.0.25-1.fc25
qubes-dom0-current   23 k
  qubes-mgmt-salt-base                   noarch  4.0.4-1.fc25
qubes-dom0-current   23 k
  qubes-mgmt-salt-base-config            noarch  4.0.2-1.fc25
qubes-dom0-current   16 k
  qubes-mgmt-salt-config                 noarch  4.0.25-1.fc25
qubes-dom0-current   27 k
  qubes-mgmt-salt-dom0                   noarch  4.0.25-1.fc25
qubes-dom0-current   12 k
  rpm                                    x86_64  4.14.2.1-5.fc25
qubes-dom0-current  531 k
  rpm-build-libs                         x86_64  4.14.2.1-5.fc25
qubes-dom0-current  137 k
  rpm-libs                               x86_64  4.14.2.1-5.fc25
qubes-dom0-current  325 k
  rpm-plugin-selinux                     x86_64  4.14.2.1-5.fc25
qubes-dom0-current   68 k
  rpm-plugin-systemd-inhibit             x86_64  4.14.2.1-5.fc25
qubes-dom0-current   69 k
  rpm-sign-libs                          x86_64  4.14.2.1-5.fc25
qubes-dom0-current   71 k
Installing dependencies:
  qubes-rpm-oxide                        x86_64  0.2.2-1.fc25
qubes-dom0-current  138 k

Transaction Summary
=========================================================================================
Install   1 Package
Upgrade  16 Packages

Total size: 1.7 M
DNF will only download packages for the transaction.
Downloading Packages:
[SKIPPED] qubes-rpm-oxide-0.2.2-1.fc25.x86_64.rpm: Already downloaded

[SKIPPED] python2-rpm-4.14.2.1-5.fc25.x86_64.rpm: Already downloaded

[SKIPPED] python3-rpm-4.14.2.1-5.fc25.x86_64.rpm: Already downloaded

[SKIPPED] qubes-core-dom0-linux-4.0.30-1.fc25.x86_64.rpm: Already downloaded
[SKIPPED] qubes-core-dom0-linux-kernel-install-4.0.30-1.fc25.x86_64.rpm:
Already downloaded
[SKIPPED] qubes-mgmt-salt-4.0.25-1.fc25.noarch.rpm: Already downloaded

[SKIPPED] qubes-mgmt-salt-admin-tools-4.0.25-1.fc25.noarch.rpm: Already
downloaded
[SKIPPED] qubes-mgmt-salt-base-4.0.4-1.fc25.noarch.rpm: Already downloaded
[SKIPPED] qubes-mgmt-salt-base-config-4.0.2-1.fc25.noarch.rpm: Already
downloaded
[SKIPPED] qubes-mgmt-salt-config-4.0.25-1.fc25.noarch.rpm: Already
downloaded
[SKIPPED] qubes-mgmt-salt-dom0-4.0.25-1.fc25.noarch.rpm: Already downloaded
[SKIPPED] rpm-4.14.2.1-5.fc25.x86_64.rpm: Already downloaded

[SKIPPED] rpm-build-libs-4.14.2.1-5.fc25.x86_64.rpm: Already downloaded

[SKIPPED] rpm-libs-4.14.2.1-5.fc25.x86_64.rpm: Already downloaded

[SKIPPED] rpm-plugin-selinux-4.14.2.1-5.fc25.x86_64.rpm: Already downloaded
[SKIPPED] rpm-plugin-systemd-inhibit-4.14.2.1-5.fc25.x86_64.rpm: Already
downloaded
[SKIPPED] rpm-sign-libs-4.14.2.1-5.fc25.x86_64.rpm: Already downloaded

Complete!
The downloaded packages were saved in cache until the next successful
transaction.
You can remove cached packages by executing 'dnf clean packages'.
Qubes OS Repository for Dom0

33 MB/s |  34 kB     00:00

So (as it seems) I'll have to follow
https://github.com/QubesOS/qubes-issues/issues/6581
Unfortunately
https://github.com/QubesOS/qubes-issues/issues/6581#issuecomment-832121456
is not really helpful: Where is that configuration file? Specifically
/var/lib/qubes/dom0-updates/ does not exist after running the update
command.

So what's the status?

Regards,
Ulrich



The changes consequent on hardening of the rpm update mechanism were
poorly handled.
The changes consequent to upgrading the updateVM to fedora-33 were
warnings, and the solution was signalled in the warning message.
(see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Very few users seem to have a) read that message, or b) tried to do what
it said.


Sorry, but I feel stupid:
Even after removing any failovermethod line from /var/lib/qubes/dom0-updates/etc/yum.repos.d/* in sys-firewall, those lines were re-added next time when I had run qubes-dom0-update in Dom0. Same for adding localpkg_gpgchgeck. 


You have to look at the manpage in the updateVM (since that is where the
warning is coming from) and apply the solution in dom0. This isnt
intuitive unless you know about the Qubes dom0 update mechanism.
It wasn't obvious to me that the command output came from sys-firewall (UpdateVM), sorry.
The comment cited earlier reads: "This is harmless. The fix is simply to delete those lines from the configuration in dom0." 

I still feel stupid.

Regards,
Ulrich





--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f631b00b-5867-25c4-0e2c-d3ca2da308f3%40rz.uni-regensburg.de.

Reply via email to