qubes.UpdatesProxy fails with "Refusing to execute executable service" error #9299

marmarek · 2024-06-12T18:25:48Z

Originally posted by @tvondra in #9151 (comment):

I think I ran into this issue today, after switching sys-net from fedora-38-xfce to fedora-39-xfce. Updating any template fails with this:

Updating fedora-39-xfce
Install requirements
Refreshing package info
Errors during downloading metadata for repository 'fedora':
  - Curl error (56): Failure when receiving data from the peer for https://mirrors.fedoraproject.org/metalink?repo=fedora-39&arch=x86_64 [Proxy CONNECT aborted]
Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (56): Failure when receiving data from the peer for https://mirrors.fedoraproject.org/metalink?repo=fedora-39&arch=x86_64 [Proxy CONNECT aborted]

and restarting the sys-net VM, or the qubes-updates-proxy did not help at all.

journalctl on sys-net however shows this, which I did not see mentioned here:

Jun 12 19:18:29 sys-net qrexec-agent[1085]: 2024-06-12 19:18:29.792 qrexec-agent[1085]: qrexec-agent-data.c:242:handle_new_process_common: failed to spawn process
Jun 12 19:18:29 sys-net qrexec-agent[1085]: 2024-06-12 19:18:29.792 qrexec-agent[1085]: exec.c:751:find_qrexec_service: Refusing to execute executable service /etc/qubes-rpc/qubes.UpdatesPr>
Jun 12 19:18:29 sys-net qrexec-agent[1083]: 2024-06-12 19:18:29.673 qrexec-agent[1083]: qrexec-agent-data.c:242:handle_new_process_common: failed to spawn process
Jun 12 19:18:29 sys-net qrexec-agent[1083]: 2024-06-12 19:18:29.673 qrexec-agent[1083]: exec.c:751:find_qrexec_service: Refusing to execute executable service /etc/qubes-rpc/qubes.UpdatesPr>
Jun 12 19:18:29 sys-net qrexec-agent[1081]: 2024-06-12 19:18:29.537 qrexec-agent[1081]: qrexec-agent-data.c:242:handle_new_process_common: failed to spawn process
Jun 12 19:18:29 sys-net qrexec-agent[1081]: 2024-06-12 19:18:29.537 qrexec-agent[1081]: exec.c:751:find_qrexec_service: Refusing to execute executable service /etc/qubes-rpc/qubes.UpdatesPr>

The timestamps match the attempted template update. I have not found the reason for this, but switching sys-net to fedora-40-xfce resolved the issue for me for now.

The text was updated successfully, but these errors were encountered:

marmarek · 2024-06-12T18:27:47Z

Can you check what you have in /etc/qubes-rpc/qubes.UpdatesProxy ? It should be a symlink to /dev/tcp/127.0.0.1/8082. Maybe you have some modified version and it got created as .rpmnew file or such?

If service type is changed from socket to executable, some config options are not applicable anymore. Do not fail execution but just log a warning. This is also relevant for migration in the other direction - if user has an executable service that is updated to a socket service, user may want preserve the executable variant (which is also done by the package manager if user has modified said service) - in which case, the config for socket variant should not prevent this configuration from working. This has been reported to happen with qubes.UpdatesProxy service. Fixes QubesOS/qubes-issues#9299

tvondra · 2024-06-12T19:12:05Z

Interesting. In sys-net (running fedora-40-xfce) I see just this:

lrwxrwxrwx. 1 root root   23 May  9 02:00 qubes.UpdatesProxy -> /dev/tcp/127.0.0.1/8082

but in the fedora-39-xfce template I see this:

-rwxr-xr-x. 1 root root   37 Apr 10 22:32 qubes.UpdatesProxy
lrwxrwxrwx. 1 root root   23 May  9 02:00 qubes.UpdatesProxy.rpmnew -> /dev/tcp/127.0.0.1/8082

So yeah, there is a .rpmnew, but I really don't recall ever touching these files. But I see the qubes.UpdatesProxy contains this:

exec socat STDIO TCP4:127.0.0.1:8082

Could this be due to the fix to force IPv4?

marmarek · 2024-06-12T19:18:09Z

Could this be due to the fix to force IPv4?

Very likely.

Move qubes.UpdatesProxy.rpmnew over to qubes.UpdatesProxy.

tvondra · 2024-06-12T22:28:04Z

Yes, moving .rpmnew over to the original file fixed this and sys-net became usable with the f39 template for me. I'll keep using the f40 one anyway, I just wanted to test this.

qubesos-bot · 2024-06-14T22:34:24Z

Automated announcement from builder-github

The package core-qrexec has been pushed to the r4.3 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bookworm-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

qubes.UpdatesProxy fails with "Refusing to execute executable service" error #9299

qubes.UpdatesProxy fails with "Refusing to execute executable service" error #9299

Comments

marmarek commented Jun 12, 2024 • edited by andrewdavidwong Loading

marmarek commented Jun 12, 2024

tvondra commented Jun 12, 2024

marmarek commented Jun 12, 2024 • edited Loading

tvondra commented Jun 12, 2024

qubesos-bot commented Jun 14, 2024

qubesos-bot commented Jun 14, 2024

qubesos-bot commented Jun 14, 2024

qubesos-bot commented Jun 14, 2024

qubesos-bot commented Jun 14, 2024

alimirjamali commented Jun 20, 2024 • edited Loading

qubesos-bot commented Jun 25, 2024

qubesos-bot commented Jun 25, 2024

qubesos-bot commented Jun 27, 2024

qubesos-bot commented Jun 27, 2024

qubesos-bot commented Jun 27, 2024

qubesos-bot commented Jun 27, 2024

qubesos-bot commented Jul 2, 2024

qubesos-bot commented Jul 2, 2024

qubesos-bot commented Jul 2, 2024

qubesos-bot commented Jul 11, 2024

marmarek commented Jun 12, 2024 •

edited by andrewdavidwong

Loading

marmarek commented Jun 12, 2024 •

edited

Loading

alimirjamali commented Jun 20, 2024 •

edited

Loading