Open ayakael opened 2 years ago
ayakael
commented
9 months ago @lubellier The new template RPM will have qubes-updates-proxy-forwarder added to boot. Old templates will have to apk upgrade + rc-update add qubes-updates-proxy-forwarder to enable the APK proxy.
jobforacowboy
commented
9 months ago @ayakael i have request refused in /var/log/qubes/qubes-updates-proxy-forwarder.err on alpine based AppVM or StandaloneVM. it seems like /etc/qubes/policy.d/90-default.policy need modifications.
marmarek
commented
9 months ago do not modify the 90-default.policy file, use earlier file instead. Is that R4.2? if so, there should be 50-config-updates.policy that is managed by the GUI "qubes global config" tool - you can configure updates proxy there (but defaults should work...)
is this standalone qube instead of template by a chance? those should not use updates proxy by default (but it's still okay to enable it, if you configure policy for it too)
jobforacowboy
commented
9 months ago @marmarek, R4.2
Denied qubes.UpdatesProxy from test-alpine to @default
qvm-prefs test-alpine
audiovm D dom0
autostart D False
backup_timestamp U
debug D False
default_dispvm D default-dvm
default_user D user
dns D 10.139.1.1 10.139.1.2
gateway D
gateway6 D
guivm D dom0
icon D appvm-red
include_in_backups D True
installed_by_rpm D False
ip D 10.137.0.27
ip6 D
kernel D 6.6.14-1.fc37
kernelopts D swiotlb=2048
keyboard_layout D us++
klass D AppVM
label - red
mac D 00:16:3e:5e:6c:00
management_dispvm D default-mgmt-dvm
maxmem D 4000
memory D 400
name - test-alpine
netvm D sys-firewall
provides_network - False
qid - 27
qrexec_timeout D 60
shutdown_timeout D 60
start_time D 1707744843.24
stubdom_mem U
stubdom_xid D -1
template - alpine
template_for_dispvms D False
updateable D False
uuid - 03d4dc3d-e9b2-488d-b976-d13103c2475d
vcpus D 2
virt_mode D pvh
visible_gateway D 10.138.38.213
visible_gateway6 D
visible_ip D 10.137.0.27
visible_ip6 D
visible_netmask D 255.255.255.255
xid D 17default settings in my policy
/etc/qubes/policy.d/50-config-updates.policy
# THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
# Any changes made manually may be overwritten by Qubes Configuration Tools.
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
ah, so it isn't even standalone, just normal app qube; proxy shouldn't be enabled in that case, see https://github.com/QubesOS/qubes-core-agent-linux/blob/main/network/update-proxy-configs#L79 (updates-proxy-setup is enabled in templates only: https://github.com/QubesOS/qubes-core-agent-linux/blob/main/vm-systemd/qubes-sysinit.sh#L9-L13)
ayakael
commented
9 months ago ah, so it isn't even standalone, just normal app qube; proxy shouldn't be enabled in that case, see https://github.com/QubesOS/qubes-core-agent-linux/blob/main/network/update-proxy-configs#L79 (
updates-proxy-setupis enabled in templates only: https://github.com/QubesOS/qubes-core-agent-linux/blob/main/vm-systemd/qubes-sysinit.sh#L9-L13)
I see, we're missing if qsvc yum-proxy-setup || qsvc updates-proxy-setup ; then logics for apk. I'll investigate this later this week. Anyways, the current alias approach for setting https_proxy env for apk is not excellent. We need a better approach.
lubellier
commented
9 months ago Anyways, the current
aliasapproach for settinghttps_proxyenv for apk is not excellent. We need a better approach.
I agree.
Apk doesn't provide a setting file for the proxy settings. So we should find a way to inject the https_proxy env for the apk command. Apk uses libfetch, libfetch get the proxy settings in http.c:780.
Ideas : a shell function, a shell script, sudo env https_proxy="http://127.0.0.1:8082/" apk, ...
oddgirl
commented
8 months ago This interests me greatly but... how do I go about installing it on Qubes 4.1 ? Do I need to get an RPM from https://lab.ilot.io/ayakael/qubes-builder-alpine/-/releases into dom0 manually and then ride from there or what ? (confused noob)
ayakael
commented
8 months ago @oddgirl Yes, here are the steps:
qvm-run --pass-io $vm 'cat /home/user/Downloads/alpine319-r41--1/downloads/template/qubes-template-alpine319-r41-r1.rpm > qubes-template-alpine319.rpm./rpm --install qubes-template-alpine319.rpmEventually, it would be nice to have the RPM's available in a signed repo, but the infra for that is not setup yet.
ayakael
commented
6 months ago Of note, I've rebuilt all r4.1 and r4.2 packages to support current edge that now uses python 3.12. With r4.1 EOL in mid-june, this is likely the last update for r4.1 packages. I will sunset the r4.1 building infra around that time, as well.
EDIT Alpine 3.20, due for release in the beginning of may, will thus be the last release that will support r4.1, and that only till mid-june.
TwinkleToes777
commented
4 months ago When is v3.20 alpine template coming?
TwinkleToes777
commented
4 months ago https://lab.ilot.io/ayakael/repo-apk/-/raw/v3.20/qubes/r4.2/x86_64/APKINDEX.tar.gz is timing out on update
ayakael
commented
4 months ago @TwinkleToes777 v3.20 template is up. As for the timing out issue, do you have it now? I can't reproduce on my side.
ayakael
commented
3 months ago For the record, I am now tracking r4.3 packages here: https://lab.ilot.io/ayakael/repo-apk/-/tree/v3.20/qubes/r4.3/x86_64?ref_type=heads
I've yet to test them, so your mileage may vary.
ayakael
commented
3 months ago Of note, I've fixed a bug with qubes-usb-proxy which broke attaching devices to the Alpine AppVM. Incidently, this seems to also fix using Alpine Linux as a base for sys-usb. I'm working on porting https://github.com/QubesOS/qubes-app-linux-input-proxy, but I'm not sure how to port the systemd services to openrc.
(edit: a package for the input proxy is already available via qubes-input-proxy, but it wont automatically spawn the proxy process since it does that via udev and systemd. It's available via the repo though, for those who wish to figure out an openrc implementation)
ayakael
commented
3 months ago I figured it out, qubes-input-proxy is now implemented in openrc and ready for testing. Y'all can get access to this simply by apk upgrading your template, and moving sys-usb to use the Alpine template.
ayakael
commented
2 months ago Hello everyone, an important infrastructure update.
The repos now have a new home on my very own Forgejo instance. You can browse them here:
This will bring some much needed infrastructure upgrades:
1) We can now use proper Alpine Linux and RPM repositories
2) Alpine package signing is now handled seperately from the package building workflows
3) The Qubes template RPM is now available on a signed template. It is thus installable using qvm-template
These changes require manual intervention on already-existing templates to use the new Alpine Linux repo
1) Update repo in /etc/apk/repositories to use this instead:
https://ayakael.net/api/packages/forge/alpine/v3.20/qubes-r4.22) Go to /etc/apk/keys and download new key:
cd /etc/apk/keys
curl -JO https://ayakael.net/api/packages/forge/alpine/keyIf you wish to install an updated template, you can follow the instructions on the README in qubes-builder-alpine's new repo.
TwinkleToes777
commented
1 month ago @TwinkleToes777 v3.20 template is up. As for the timing out issue, do you have it now? I can't reproduce on my side.
It's gone now. I tested qubes-usb-proxy and the first sys-usb works, second sys-usb does not work (does not see any USB devices). (I have two USB controllers)
It works if first sys-usb is on alpine template and second sys-usb is on debian template.
TwinkleToes777
commented
1 month ago Any plans to make it work as sys-firewall/sys-net ?
toothlesslizard
commented
1 month ago @ayakael can you please check alpine/edge/testing repo. something is broken after template update (qubes-packages or new release)
alpine-test:~$ cat /etc/apk/repositories
https://dl-cdn.alpinelinux.org/alpine/edge/main
https://dl-cdn.alpinelinux.org/alpine/edge/community
https://dl-cdn.alpinelinux.org/alpine/edge/testing
https://ayakael.net/api/packages/forge/alpine/v3.20/qubes-r4.2
alpine-test:~$ @toothlesslizard Thank you for sharing this issue. I think a few packages are due for upgrade. By the way, if you are on edge, the repo should be https://ayakael.net/api/packages/forge/alpine/edge/qubes-r4.2
ayakael
commented
1 month ago @TwinkleToes777 I hope to eventually get to sys-{firewall,net}. That said, I don't see myself getting to that before the end of 2024. If you figure it out, feel free to share how you made it work and I'll integrate the changes in the template builder.
ayakael
commented
3 weeks ago @toothlesslizard Was your issue related to gui agent failure? I've upgraded my edge template and indeed something broke on the GUI side of things. I lack time right now to debug this but will make today or tomorrow to figure out a fix. It seems like this is due to something that changed on the Alpine side of things, as latest qubes-vm-gui (4.2.18) works on 3.20.
ayakael
commented
3 weeks ago I fixed the issue causing edge templates to fail. It was introduced by https://gitlab.alpinelinux.org/alpine/aports/-/commit/7ce7590c3a49bb6ea5996296c51250178e1c4e2f, which is a change in-line with Alpine's new policy on merging /lib and /sbin into /usr. This caused an issue where a udev rule that gave access to xen devices to the qubes group wasn't picked up. Via https://ayakael.net/forge/qports/pulls/101 I've thus followed suite and merged everything qports related into /usr. This fixed the issue, and brings the template in line with where things should land for v3.21.
For those on an edge template who lost access, you can fix your template by updating it through sudo xl console template-name and apk update; apk upgrade and restarting your template.
description
QubeOS should have an Alpine Linux template. This has been requested in the past, and I've finally decided to tackle it, having packaging experience with this distro. This space is for tracking issues.
current state
steps
hurdles