Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qubes Updater silent failure while updating debian-10 TemplateVM #5705

Closed
emkll opened this issue Mar 4, 2020 · 25 comments · Fixed by QubesOS/qubes-mgmt-salt-dom0-update#9 or QubesOS/qubes-mgmt-salt#15
Closed

Qubes Updater silent failure while updating debian-10 TemplateVM #5705

emkll opened this issue Mar 4, 2020 · 25 comments · Fixed by QubesOS/qubes-mgmt-salt-dom0-update#9 or QubesOS/qubes-mgmt-salt#15
Assignees
@marmarek
Labels
C: mgmt P: major Priority: major. Between "default" and "critical" in severity. r4.0-bullseye-stable r4.0-buster-stable r4.0-centos7-stable r4.0-dom0-stable r4.0-fc29-stable r4.0-fc30-stable r4.0-fc31-stable r4.0-stretch-stable r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-dom0-stable r4.1-fc29-stable r4.1-fc30-stable r4.1-fc31-cur-test r4.1-stretch-cur-test
Milestone
Release 4.0 updates

Comments

@emkll
Copy link

emkll commented Mar 4, 2020

Qubes OS version
Qubes release 4.0 (R4.0)

Affected component(s) or functionality
Qubes Updater / update/qubes-vm.sls

Brief summary
Qubes Updater fails to update Debian-based Template

To Reproduce

  1. Open Qubes updater
  2. Select debian-10
  3. Click next
    or
  4. run sudo qubesctl --show-output --skip-dom0 --targets debian-10 state.sls update.qubes-vm in dom0.

Expected behavior

  • Packages inside the VM should be upgraded, and return OK
  • Otherwise, failed upgrade operations should return a failure message success in the UI

Actual behavior

  • Packages in the VM are not upgraded, and output of the qubesctl command does not contain OK
  • UI suggests the upgrade was successfully completed (qubesctl command returns 0), even though a Salt error occurred in the Template

What appears to be relevant output in debian-10 template:

Mar  4 14:18:21 localhost systemd[1]: Started Session c14 of user root.
Mar  4 14:18:22 localhost qubes.VMRootShell-disp-mgmt-debian-10: SALT_ARGV: ['/usr/bin/python3', '/var/tmp/.root_62a99a_salt/salt-call', '--retcode-passthrough', '--local', '--metadata', '--out', 'json', '-l', 'quiet', '-c', '/var/tmp/.root_62a99a_salt', '--', 'test.opts_pkg']
Mar  4 14:18:22 localhost qubes.VMRootShell-disp-mgmt-debian-10: _edbc7885e4f9aac9b83b35999b68d015148caf467b78fa39c05f669c0ff89878
Mar  4 14:18:25 localhost systemd[1]: session-c14.scope: Succeeded.
Mar  4 14:18:25 localhost qrexec-agent[481]: send exit code 0
Mar  4 14:18:25 localhost qrexec-agent[481]: pid 1694 exited with 0
Mar  4 14:18:25 localhost qrexec-agent[481]: eintr
Mar  4 14:18:26 localhost qrexec-agent[481]: executed root:QUBESRPC qubes.VMRootShell disp-mgmt-debian-10 pid 1793
Mar  4 14:18:26 localhost systemd[1]: Started Session c15 of user root.
Mar  4 14:18:26 localhost systemd[1]: session-c15.scope: Succeeded.
Mar  4 14:18:26 localhost qrexec-agent[481]: send exit code 0
Mar  4 14:18:26 localhost qrexec-agent[481]: pid 1793 exited with 0
Mar  4 14:18:26 localhost qrexec-agent[481]: eintr
Mar  4 14:18:26 localhost qrexec-agent[481]: executed root:QUBESRPC qubes.VMRootShell disp-mgmt-debian-10 pid 1807
Mar  4 14:18:26 localhost systemd[1]: Started Session c16 of user root.
Mar  4 14:18:26 localhost qubes.VMRootShell-disp-mgmt-debian-10: SALT_ARGV: ['/usr/bin/python3', '/var/tmp/.root_62a99a_salt/salt-call', '--retcode-passthrough', '--local', '--metadata', '--out', 'json', '-l', 'quiet', '-c', '/var/tmp/.root_62a99a_salt', '--', 'state.pkg', '/var/tmp/.root_62a99a_salt/salt_state.tgz', 'test=None', 'pkg_sum=89f155d29e841fb86d260190219775a6bfafa1aeab4087303dfd9e763ca06cf5', 'hash_type=sha256']
Mar  4 14:18:26 localhost qubes.VMRootShell-disp-mgmt-debian-10: _edbc7885e4f9aac9b83b35999b68d015148caf467b78fa39c05f669c0ff89878
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10: Traceback (most recent call last):
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:   File "/var/tmp/.root_62a99a_salt/salt-call", line 27, in <module>
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:     salt_call()
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:   File "/var/tmp/.root_62a99a_salt/pyall/salt/scripts.py", line 445, in salt_call
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:     client.run()
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:   File "/var/tmp/.root_62a99a_salt/pyall/salt/cli/call.py", line 57, in run
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:     caller.run()
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:   File "/var/tmp/.root_62a99a_salt/pyall/salt/cli/caller.py", line 119, in run
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:     ret = self.call()
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:   File "/var/tmp/.root_62a99a_salt/pyall/salt/cli/caller.py", line 232, in call
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10:     func.__module__].__context__.get('retcode', 0)
Mar  4 14:18:31 localhost qubes.VMRootShell-disp-mgmt-debian-10: KeyError: 'salt.loaded.int.module.state'
Mar  4 14:18:32 localhost qrexec-agent[481]: send exit code 1
Mar  4 14:18:32 localhost qrexec-agent[481]: pid 1807 exited with 1
Mar  4 14:18:32 localhost systemd[1]: session-c16.scope: Succeeded.
Mar  4 14:18:32 localhost qrexec-agent[481]: eintr

Screenshots
updater

qubesctl_dom0

Additional context

  • Installing qubes 4.0.3 from scratch, I could not immediately reproduce, it seems like an issue with existing templates.
    For reference, the version of qubes-template-debian-10.noarch I am using is 4..1-201905201854

Solutions you've tried

  • Running apt upgrade directly on the VM itself does work, it seems like the issue is limited to salt

Relevant documentation you've consulted
none

Related, non-duplicate issues
none
@emkll emkll added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug labels Mar 4, 2020
@emkll emkll mentioned this issue Mar 4, 2020
Closed
@redshiftzero
Copy link

possibly related: saltstack/salt#56131

@emkll
Copy link
Author

emkll commented Mar 4, 2020

I think the ticket linked by @redshiftzero is very likely related:

Based on my local testing, on a freshly installed Qubes 4.0.3 machine:

On a fully patched Fedora-30 template, the salt version is 3000-2. I have downgraded the salt package (via sudo dnf downgrade salt, which also downgrades salt-ssh) to version 2019.2.0-1.fc30. After downgrading this package, the updater (and Salt) work as expected.

@conorsch
Copy link

conorsch commented Mar 5, 2020

Worth noting that using F29 (warning: Fedora29 is EOL) for the mgmt vm also resolves, due to the implicit version downgrade. So setting qvm-prefs default-mgmt-dvm template fedora-29, assuming you still have qubes-template-fedora-29, lets qubesctl run successfully again. Sharing this info less as a workaround and more because I'm unsure what most folks have for the default mgmt dvm template. The last time I performed a clean install of the OS was Qubes 4.0.1, and if memory serves, I altered the value to F30 while removing F29 templates across the board a few months back.

@andrewdavidwong andrewdavidwong added C: mgmt P: major Priority: major. Between "default" and "critical" in severity. and removed P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Mar 5, 2020
@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Mar 5, 2020
@marmarek
Copy link
Member

marmarek commented Mar 5, 2020

Looks like this wants backporting. Note version difference - apparently failing without python-pip package is a common pattern in salt...

@marmarek marmarek self-assigned this Mar 5, 2020
@DemiMarie
Copy link

Should we install the python-pip package?

@marmarek
Copy link
Member

marmarek commented Mar 7, 2020

This is exactly what the commit I pointed in #5705 (comment) does.

@marmarek
Copy link
Member

marmarek commented Mar 8, 2020

If I read this correctly, we'd need python3-pip in every VM that is managed by salt, not only where salt-ssh is running. This means a simple dependency on a salt-related package isn't enough.

On the other hand, the failing code applies only to states using "onlyif" keyword - if I remove them, the update works. Since the salt bug will probably take some more time to fix (PR with the fix is there already, but then it would need to be merged, released and packaged into Fedora), I'd go with avoiding "onlyif" in the update formula. Fortunately, it is used only to apply updates that are incorporated into new templates already, so I can simply remove those entries.

@marmarek marmarek mentioned this issue Mar 8, 2020
Merged
marmarek added a commit to marmarek/qubes-mgmt-salt that referenced this issue Mar 8, 2020
@marmarek
Report empty output as a failure
cd7bf10 
salt-ssh may exit with code 0 even if applying state failed. One of such
cases is saltstack/salt#56131. Add a heuristic that checks output data -
if it's empty, report it as a failure for state.* command, as those
always produce some output (changes summary).

This converts silent failure into not-so-silent one (although there is
still no details why it failed).

Fixes QubesOS/qubes-issues#5705
@marmarek marmarek mentioned this issue Mar 8, 2020
Merged
@eloquence
Copy link

Thanks for the quick response & PRs, Marek. This is a critical issue for the SecureDrop Workstation pilot from our perspective as it prevents important system updates from succeeding, and we'd obviously prefer not to manually downgrade packages for security reasons. Is there any way we can help to get this over the finish line?

@marmarek
Copy link
Member

Main blocker is testing capacity (openqa busy on other set of PRs already). If you could test those two PRs in your environment too, that would help a lot.

@xet7
Copy link

xet7 commented Mar 14, 2020

When I update Qubes VMs, after updates it still shows that all did not update, with green arrow icon.

To get Debian 10 template updated, I need to do manually:

sudo apt update
sudo apt -y dist-upgrade
sudo apt clean
sudo apt autoclean
sudo apt -y autoremove

For Fedora 30 templates, I need to do manually:

sudo dnf upgrade
sudo dnf clean all

Would it be possible to change update scripts so that all this cleanup would also be run automatically?

marmarek added a commit to QubesOS/qubes-mgmt-salt-dom0-update that referenced this issue Mar 16, 2020
@marmarek
Drop states using 'onlyif' condition
6202f6e 
This is broken in salt 3000 (saltstack/salt#56131) currently shipped in
Fedora 30. Since those states apply changes already incorporated in all
released templates (and latest stable installation image), simply drop
them to unbreak updates.

Fixes QubesOS/qubes-issues#5705

(cherry picked from commit e32dc3f)
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt-dom0-update-4.0.9-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Mar 16, 2020
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt-dom0-update-4.1.3-1.fc31 has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Mar 16, 2020
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt_4.0.21-1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package mgmt-salt has been pushed to the r4.1 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.1-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Apr 24, 2020
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt-dom0-update-4.1.3-1.fc31 has been pushed to the r4.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt-4.0.22-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt_4.0.22-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package mgmt-salt has been pushed to the r4.0 stable repository for the CentOS centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marmarek marmarek

Labels
C: mgmt P: major Priority: major. Between "default" and "critical" in severity. r4.0-bullseye-stable r4.0-buster-stable r4.0-centos7-stable r4.0-dom0-stable r4.0-fc29-stable r4.0-fc30-stable r4.0-fc31-stable r4.0-stretch-stable r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-dom0-stable r4.1-fc29-stable r4.1-fc30-stable r4.1-fc31-cur-test r4.1-stretch-cur-test
Projects
None yet
Milestone
Release 4.0 updates
9 participants
@xet7 @eloquence @conorsch @marmarek @DemiMarie @redshiftzero @andrewdavidwong @emkll @qubesos-bot