Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qvm-template list is incomplete when the updatevm has sys-cacher configured #27

Closed
ben-grande opened this issue Feb 27, 2024 · 1 comment
Closed

qvm-template list is incomplete when the updatevm has sys-cacher configured #27

ben-grande opened this issue Feb 27, 2024 · 1 comment
Labels
help wanted Extra attention is needed T: bug Something isn't working

Comments

@ben-grande
Copy link
Owner

ben-grande commented Feb 27, 2024
edited
Loading

Software version

Possibly every since sys-cacher.install-client is being called in sys-pihole.install in R4.2.

Brief summary

Listing templates from Dom0 does not work if using certain qubes for certain functionality that should support it, as sys-pihole is being set as the updatevm.

Steps to reproduce

Install sys-pihole, configure it to be the updatevm and make sure it is using sys-cacher as the updates proxy. Make sure that sys-cacher netvm is set to sys-pihole.

Notice the template list is incomplete. Comment the proxy line in /etc/dnf/dnf.conf and try again and see that the list is complete.

Expected behavior

Complete list of templates available.

Actual behavior

Incomplete list of templates via qvm-template list, only showing installed templates.

dom0 calls sys-pihole via qvm-template, which calls sys-cacher via qubes.UpdatesProxy, which then calls sys-pihole again as the netvm.

Possible solution

There are two solutions:

  1. do not cache updates from sys-pihole as it is probably the netvm of the sys-cacher
  2. create a separate updatevm

The first option disadvantage is having a slower install as packages are fetched through the network if they are not cached.

The second option disadvantage is that the updatevm is never powered off automatically after being used, leaving it hanging around while setting the updatevm to be the same as the default_netvm is good as it does not require one more qube to be powered on, besides that there are no security benefits in having a separate updater qube for dom0 as it does not trust the DomU anyway.

Although there are two solutions to the problem, it doesn't answer clearly why the problem occurs? What happens in sys-pihole that when using sys-cacher, the fetching of the template list does not work, while updating dom0 does work?
@ben-grande ben-grande added T: bug Something isn't working help wanted Extra attention is needed labels Feb 27, 2024
@ben-grande ben-grande changed the title dom0 qvm-template is incomplete when using an updatevm with sys-cacher configured qvm-template list is incomplete when the updatevm has sys-cacher configured Mar 14, 2024
@ben-grande
Copy link
Owner Author

Couldn't make a updatevm behave correctly with sys-cacher when using it for Template listing. Dom0 updates were never affected, but template listing/searching/installing was. It only happened if you installed the sys-cacher formula to the debian template before creating the sys-pihole StandaloneVM plus making sys-pihole the updatevm.

Why revisit this issue later:

  • Faster updates with cacher for the sys-pihole StandaloneVM.

Why not do it:

  • Using the UpdatesProxy on any qube can change the network chain and cause leaks to a network that is not the same as the netvm of said qube. In the default state it didn't happen because sys-cacher netvm is the default_netvm sys-pihole.

ben-grande added a commit that referenced this issue Mar 19, 2024
@ben-grande
fix: remove cacher proxy from updatevm
7c3d6ac 
Git revision is specified in the git module to Salt not fail trying to
verify it is in HEAD when it is in a tag from a previous installation.

Fixes: #27
@ben-grande ben-grande mentioned this issue Aug 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed T: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ben-grande