Upgrades all sys-* VMs to Fedora 30 #331
Conversation
F29 is approaching EOL [0], so it's time to bump to F30. These changes are most important for the `sys-*` VMs, such as `sys-firewall`. [0] https://fedoraproject.org/wiki/End_of_life
Previously, we weren't explicitly declaring the default DispVM template at all. On fresh installs of 4.0.1, it'll be fedora-29, but over time, as Fedora versions lapse into EOL, users/admins must manually update the setting. That's no good. Rather than bump to the latest version of Fedora (F30 as of this writing), let's use the SDW disp template, since that includes no network, minimizing the possibility of misconfigurations in the SDW workflows.
Allows unattended-upgrades of the Fedora-based sys-{firewall,net,usb}
AppVMs. It's somewhat of a harsh approach to `qvm-kill` the VMs while
they're running, but doing so appears to be our only option, given that:
1. It's critical these VMs stay up-to-date (to receive patches)
2. It's not possible to modify template settings for running VMs
3. `qvm-shutdown` won't work on netvms with attachd hosts (hence
`qvm-kill`)
Once the configuration is applied, killing each VM once, the new
template will be used. Then we'll have to do it again in about six
months, due to Fedora release cycle.
The RPM repo pubkey must exist in sys-firewall, in order for `qubes-dom0-update` to pull in packages. We were previously adding the pubkey to sys-firewall in a temporary manner; now the pubkey persists across reboots.
conorsch
force-pushed
the
262-upgrade-sys-vms-to-fedora-30
branch
from
729e1c8 to
1bd0d2e
Compare
There was a problem hiding this comment.
Performed testing per the test plan, and did a visual review, looks great !
-
make allshows no errors -
make testshow no errors - all
sys-*VMs runningfedora-30 - start/restart an AppVM, confirm
qvm-open-in-dvm <file>opens in an SDW netless VM
One improvement we could make here is to also uninstall the template (sudo dnf remove qubes-template-fedora-29), as it will no longer be required, and will only increase upgrade time and likelihood of misconfigurations.
Good point. During standup today, @kushaldas mentioned he'd like to keep the older F templates around. We may be forced to do so for a while, or at least update the logic here to vigorously replace all templates. For instance, I had I'll open a follow up ticket to discuss cleanup, which will also be relevant for the W14 -> W15 upgrades (#300), deferring changes for now. |
Implements unattended updates to the built-in Qubes
sys-*VMs, specifically:sys-netsys-firewallsys-usbIf the VMs are not running the latest version, they will briefly be halted to change the template setting, then restarted on the new template.
Updates the default DispVM template to be
sd-svs-disp. Enabling this as the default means thatqvm-open-in-dvm <file>from any VM will result insd-svs-dispbeing used.Improves the dom0 RPM repo logic to be persistent across reboots. Doing so was required in order to get the tests passing after the template update specifically for
sys-firewall.Addresses changes specified in a few different issues; thus:
Testing
In order to test, first confirm that your environment is not what's enforced by this PR. Specifically, your system should be configured as follows:
The above shows the pre-merge "correct" settings, namely F29 rather than F30 throughout.
If you already have a prior version of the SDW config provisioned, do not run
make clean.Instead, simply run
make all, which will confirm that the VMs are updated in-place despitea pre-existing config.
Afterwards, the output of the above commands should be:
As always, ensure that
make testpasses without error. New tests have been added to verifythe above settings; the example commands are provided for clarity.
Succinct checklist for testing:
make allshows no errorsmake testshow no errorssys-*VMs runningfedora-30qvm-open-in-dvm <file>opens in an SDW netless VM