Fedora 41 template

[marmarek]

Fedora 41 (https://fedorapeople.org/groups/schedule/f-41/f-41-key-tasks.html) is planned for end of October 2024. Tasks below should start after mass rebuild (planned for July/August).

Tasks:

• [x] build all packages
• [x] fix: The current post-upgrade hook is not able to reset the updates-available feature after successful upgrades
• [x] update rpmfusion to final released version
• [ ] build the template
• [ ] document
• [ ] upload to testing repo
• [ ] migrate to stable repo
• [ ] announce

If any issue affects Fedora 41 specifically (build failures, things that worked fine before etc.), please add reference to this issue too.

[alimirjamali]

@marmarek dnf5 complains if --downloadonly, --allowerasing or --best is provided for search action. I submitted a patch.

I have to find the right option to disable ANSI highlighting for search action

p.s.: Looking at dnf5 help & source code, I did not find any option to disable ANSI highlighting. The only option that comes to mind would be avoiding script to emulate a TTY in qubes-dom0-update

[alimirjamali]

The current post-upgrade hook is not able to reset the updates-available feature after successful upgrades on Fedora 41 templates. The upgrades-status-notify script still works well.

[marmarek]

When building F41 template in F40 dispvm, the setfiles call fails with:

[  373.180307] audit: type=1400 audit(1727264039.419:2004): avc:  denied  { mac_admin } for  pid=20954 comm="setfiles" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
[  373.180359] audit: type=1401 audit(1727264039.419:2004): op=setxattr invalid_context="system_u:object_r:systemd_mountfsd_exec_t:s0"
[  373.317409] audit: type=1400 audit(1727264039.556:2005): avc:  denied  { mac_admin } for  pid=20954 comm="setfiles" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
[  373.317460] audit: type=1401 audit(1727264039.556:2005): op=setxattr invalid_context="system_u:object_r:systemd_nsresourced_exec_t:s0"

(and few others) IIUC the setfiles applying labels based on policy from F41 fails on types that do not exist in F40. Any ideas how to solve this?

[marmarek]

qubes-vm-update is not happy with Fedora 41 tests (DNF5?):

2024-09-30 05:16:55,902 Running update agent for test-inst-vm1
2024-09-30 05:16:55,905 Transferring files to destination qube: test-inst-vm1
2024-09-30 05:16:56,136 The agent is starting the task in qube: test-inst-vm1
2024-09-30 05:16:59,781 Command '('/usr/bin/python3', '/run/qubes-update/agent/entrypoint.py', '--log', 'INFO', '--no-progress')' returned non-zero exit status 24.
2024-09-30 05:16:59,646 [Agent] agent out: Installed packages:
2024-09-30 05:16:59,646 [Agent] agent out: None
2024-09-30 05:16:59,646 [Agent] agent out: Updated packages:
2024-09-30 05:16:59,646 [Agent] agent out: None
2024-09-30 05:16:59,646 [Agent] agent out: Removed packages:
2024-09-30 05:16:59,646 [Agent] agent out: None
2024-09-30 05:16:59,646 [Agent] agent out: 
2024-09-30 05:16:59,851 Remove /run/qubes-update/
2024-09-30 05:16:59,927 agent exit code: 24

I'm debugging this

[marmarek]

The current post-upgrade hook is not able to reset the updates-available feature after successful upgrades on Fedora 41 templates. The upgrades-status-notify script still works well.

The python plugins seems to be not supported in DNF5. But there is an "actions" plugin already that seems to allow plugging the notification call: https://dnf5.readthedocs.io/en/stable/libdnf5_plugins/actions.8.html

[alimirjamali]

The python plugins seems to be not supported in DNF5.

The python3-libdnf5-python-plugins-loader is useless in this case. It only supports DNF5 specific plugins.

[Minimalist73]

I installed the latest fedora-41-xfce template build and it seems that the cvt package is not installed by default, which breaks the in-qube screen layout since qubes.SetMonitorLayout depends on it. It should probably be set as a required dependency of qubes-gui-agent?

[aronowski]

• Clicking on the qui-domains widget and selecting the "Run Terminal" option spawns xterm instead of ptyxis
• Ptyxis isn't allowlisted as a menu entry - proposed solution: https://github.com/QubesOS/qubes-builder-rpm/pull/139
• Looks like some Qt5 applications are affected by https://github.com/QubesOS/qubes-issues/issues/9457 - VLC is, KeePassXC isn't (further investigation related to the exact Qt versions needed).

[rustybird]

The rpmfusion and google-chrome repos now have enabled=1 in their main repo definitions, overridden to enabled=0 in /etc/dnf/repos.override.d/99-config_manager.repo. It's an artifact of the DNF5 version of config-manager that's used by qubes-builder-rpm. Not necessarily a problem, I just found it confusing.

[marmarek]

On Sat, Nov 09, 2024 at 03:30:18AM -0800, Rusty Bird wrote:

The rpmfusion repos now have enabled=1 in their main repo definitions, overridden to enabled=0 in /etc/dnf/repos.override.d/99-config_manager.repo. It's an artifact of the DNF5 version of config-manager that's used by qubes-builder-rpm. Not necessarily a problem, I just found it confusing.

Yes, that's how config-manager works in DNF5. Old DNF didn't support repo.override.d dirs so it wasn't possible and it modified original file. IMO the new behavior is better as it doesn't conflicts with repo file updates (modified file would not be updated and new version would be saved in .rpmnew file).

-- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

[rustybird]

IMO the new behavior is better as it doesn't conflicts with repo file updates (modified file would not be updated and new version would be saved in .rpmnew file).

Makes sense.

Should the new behavior get a mention in template announcement? Because I'm guessing other people might also be confused about how to enable the rpmfusion / google-chrome repos.