Removes package updates from sd-log AppVM config #535
Conversation
The logging config must ensure that the necessary FPF apt repos are in place, but the repo configs should only be applied for TemplateVMs. For netless AppVMs, the call will fail if updates are available.
There was a problem hiding this comment.
While I could not reproduce the underlying issue (see #514 (comment)), the changes here are sound. Not formally approving since marked WIP.
| @@ -1,10 +1,10 @@ | |||
| # -*- coding: utf-8 -*- | |||
| # vim: set syntax=yaml ts=2 sw=2 sts=2 et : | |||
|
|
|||
| {% if "template" in grains['id'] or grains['id'] in ["securedrop-workstation-buster", "whonix-gw-15"] %} | |||
There was a problem hiding this comment.
Do you think it would be best to explicitly list all the sd- managed template VMs here in a list, instead of relying on "template" in the name? It don't think there will be any functional improvements (due to sd-workstation.top), but it may make this part easier to understand/maintain
There was a problem hiding this comment.
Ideally, we'd use qubesdb-read /qubes-vm-type and select based on whether the value is "TemplateVM". The salt jinja templates are rendered in dom0, though, and we currently cannot leverage onlyif to the problems we saw in #485, so settling on no changes for now.
|
@conorsch these changes look good to merge, from my perspective. However, there's a WIP tag. Is this ready for final review? |
|
Ready for review. Kept the WIP tag on because I was seeing a bit of variability in the behavior, about whether the change was strictly necessary. Agreed that we want the cleanup either way, so fine with merging. |
Status
Ready for review
Description of Changes
Refs #514
Changes proposed in this pull request:
The logging config must ensure that the necessary FPF apt repos are in
place, but the repo configs should only be applied for TemplateVMs. For
netless AppVMs, the call will fail if updates are available.
Testing
First, make sure you can repro the failure scenario described in #514 (comment) Then, in a dev environment:
and observe all tests passing. Further research required for testing clean prod/staging installs. I've not done that yet.
Checklist
If you have made code changes
make flake8) passes in the development environment (this box maybe left unchecked, as
flake8also runs in CI)If you have made changes to the provisioning logic
All tests (
make test) pass indom0of a Qubes installThis PR adds/removes files, and includes required updates to the packaging
logic in
MANIFEST.inandrpm-build/SPECS/securedrop-workstation-dom0-config.spec