qvm-template list is incomplete when the updatevm has sys-cacher configured

[ben-grande]

Software version

Possibly every since sys-cacher.install-client is being called in sys-pihole.install in R4.2.

Brief summary

Listing templates from Dom0 does not work if using certain qubes for certain functionality that should support it, as sys-pihole is being set as the updatevm.

Steps to reproduce

Install sys-pihole, configure it to be the updatevm and make sure it is using sys-cacher as the updates proxy. Make sure that sys-cacher netvm is set to sys-pihole.

Notice the template list is incomplete. Comment the proxy line in /etc/dnf/dnf.conf and try again and see that the list is complete.

Expected behavior

Complete list of templates available.

Actual behavior

Incomplete list of templates via qvm-template list, only showing installed templates.

dom0 calls sys-pihole via qvm-template, which calls sys-cacher via qubes.UpdatesProxy, which then calls sys-pihole again as the netvm.

Possible solution

There are two solutions:

1. do not cache updates from sys-pihole as it is probably the netvm of the sys-cacher
2. create a separate updatevm

The first option disadvantage is having a slower install as packages are fetched through the network if they are not cached.

The second option disadvantage is that the updatevm is never powered off automatically after being used, leaving it hanging around while setting the updatevm to be the same as the default_netvm is good as it does not require one more qube to be powered on, besides that there are no security benefits in having a separate updater qube for dom0 as it does not trust the DomU anyway.

Although there are two solutions to the problem, it doesn't answer clearly why the problem occurs? What happens in sys-pihole that when using sys-cacher, the fetching of the template list does not work, while updating dom0 does work?

[ben-grande]

Couldn't make a updatevm behave correctly with sys-cacher when using it for Template listing. Dom0 updates were never affected, but template listing/searching/installing was. It only happened if you installed the sys-cacher formula to the debian template before creating the sys-pihole StandaloneVM plus making sys-pihole the updatevm.

Why revisit this issue later:

• Faster updates with cacher for the sys-pihole StandaloneVM.

Why not do it:

• Using the UpdatesProxy on any qube can change the network chain and cause leaks to a network that is not the same as the netvm of said qube. In the default state it didn't happen because sys-cacher netvm is the default_netvm sys-pihole.