How-to: Fix dom0 Qubes-Whonix ™ UpdatesProxy Settings
Introduction[edit]
If the following warning appears.
WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.
If the warning message is transient, it can be safely ignored. Otherwise, try one of the fixes below.
Update dom0[edit]
Launch a dom0
terminal.
Click the Qubes App Launcher (blue/grey "Q")
→ Open the Terminal Emulator (Xfce Terminal)
Upgrade Qubes dom0
. This step is mandatory. [1]
- Qubes R4.0: sudo qubes-dom0-update
- Qubes R4.1 [2]: sudo qubes-dom0-update --show-output --console
Templates[edit]
Error Resolution Methods[edit]
The following fixes are listed in order of preference.
Salt Fix[edit]
In dom0
.
Use qubesctl
to setup dom0
settings. [3]
Next, check if the problem has been corrected. Run the following command in Whonix ™ Template.
Then try to update / use apt
again.
If there are still problems, try the manual fix below.
Manual Fix[edit]
1. Make sure Whonix-Gateway ™ (sys-whonix
) is running.
Check the dom0
/etc/qubes-rpc/policy/qubes.UpdatesProxy
settings.
2. At the very top of that file, the following text should appear.
If it is not there, add it.
To view a complete example of the /etc/qubes-rpc/policy/qubes.UpdatesProxy
file, please press on expand on the right.
/etc/qubes-rpc/policy/qubes.UpdatesProxy
(raw
):
## Note that policy parsing stops at the first match, ## so adding anything below "$anyvm $anyvm action" line will have no effect ## Please use a single # to start your custom comments # Upgrade all Templates through {{project_name_gateway_vm}}. #$type:Template $default allow,target={{project_name_gateway_vm}} # Upgrade {{project_name_long}} templateVMs through {{project_name_gateway_vm}}. $tag:whonix-updatevm $default allow,target={{project_name_gateway_vm}} # Deny {{project_name_long}} templateVMs using UpdatesProxy of any other VM. $tag:whonix-updatevm $anyvm deny # Default rule for all Templates - direct the connection to sys-net $type:Template $default allow,target=sys-net $anyvm $anyvm deny
3. If Multiple Qubes-Whonix ™ Templates are configured -- like when the Whonix ™ Template is cloned -- please press on expand on the right.
The following syntax should apply.
Example entry for Whonix-Gateway ™ Template.
Example entry for Whonix-Workstation ™ Template.
4. To test if it is fixed, run the following command in Whonix ™ Template.
5. Then try to update / use apt
again.
Reinstallation Fix[edit]
If the salt and manual fix attempts both fail, then follow the steps to Reinstall Qubes-Whonix ™ Templates. If reinstallation also fails, then ask for support in the Whonix ™ forums.
dom0[edit]
Qubes dom0
does not use Qubes UpdatesProxy. [4] Therefore file /etc/qubes-rpc/policy/qubes.UpdatesProxy
does not influence which VM will be used by dom0
for fetching updates.
For completeness sake, see below on how to configure the Qubes dom0
UpdateVM setting.
To force dom0
updates over Tor, set Qubes' dom0
UpdateVM to sys-whonix
. [5]
Qube Manager
→System
→Global Settings
→Dom0 UpdateVM:
sys-whonix
→OK
To revert this change, set Qubes' dom0
UpdateVM to sys-firewall
or another preferred VM. [6]
Qubes Manager
→System
→Global Settings
→Dom0 UpdateVM:
sys-firewall
→OK
Development[edit]
The following Qubes-Whonix ™ and Whonix ™ GitHub development resources are recommended for interested readers:
- 40_qubes.conf
- qubes-whonix-torified-updates-proxy-check.service
- torified-updates-proxy-check
- qubes.UpdatesProxy.policy
- uwt
Footnotes[edit]
- ↑
Upgrade Qubes
dom0
is required to make sure:- version file
/srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja
contains the current version number of Whonix ™ is up to date, - a recent version of Qubes repository definition files,
- Qubes salt,
- qubes-core-admin-addon-whonix
,
- as well as qubes-mgmt-salt-dom0-virtual-machines
are installed and up to date.
- version file
- ↑
Using
--show-output --console
is optional, recommended because of Qubes upstream bug:qubes-dom0-update
showsNo updates available
in case of network is down /qubes-dom0-update
fails to notice if repositories are unreachable / network is down
- ↑ Dev/Qubes#salt
- ↑ Qubes generally, not Whonix ™ specific implementation.
- ↑
Or manually set the torified UpdateVM in
dom0
terminal.qubes-prefs updatevm sys-whonix - ↑
To revert this change in
dom0
terminal, run.qubes-prefs updatevm sys-firewall