qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard
verified publisher icon QubesOS

Fedora 42 template

Open marmarek opened this issue 9 months ago • 14 comments

Fedora 42 (https://fedorapeople.org/groups/schedule/f-42/f-42-key-tasks.html) is planned for mid April 2025.

Tasks:

  • [x] build all packages
  • [x] update rpmfusion to final released version
  • [x] build the template
  • [ ] document
  • [x] upload to testing repo
  • [ ] migrate to stable repo
  • [ ] announce

If any issue affects Fedora 42 specifically (build failures, things that worked fine before etc.), please add reference to this issue too.

marmarek avatar Feb 25 '25 14:02 marmarek

The pull requests linked above are enough to build the template. I don't know yet if it works.

marmarek avatar Feb 26 '25 03:02 marmarek

@andrewdavidwong fedora-42 templates are ready for testing, both for R4.3 (available for some time already) and R4.2 (just built)

marmarek avatar Jun 09 '25 11:06 marmarek

dnf distro-sync fails with exit status 1 in the template if the user enabled the security-testing repo, because it doesn't exist yet for R4.2 (HTTP 404) and apparently this is a hard error now.

@fepitre I guess this will be relevant for the contrib(-testing) repos too since I remember them not being created until the first package has been built.

rustybird avatar Jun 09 '25 12:06 rustybird

After enabling only current-testing but not security-testing, qubes-vm-update still fails. Maybe it's confused by the repo signing key being imported?

[user@dom0 ~]$ qvm-clone fedora-42-minimal fedora-42-minimal-clone-1
fedora-42-minimal-clone-1: Cloning private volume
fedora-42-minimal-clone-1: Cloning root volume

[user@dom0 ~]$ qvm-run -u root fedora-42-minimal-clone-1 dnf config-manager setopt 'qubes-vm-*-current-testing.enabled=1'

[user@dom0 ~]$ qubes-vm-update --verbose --targets fedora-42-minimal-clone-1
fedora-42-minimal-clone-1 (error):   0%|                                                                                       | 0/100 [01:04<?, ?it/s]
fedora-42-minimal-clone-1:out: Refreshing package info
fedora-42-minimal-clone-1:out: Removed 0 files, 0 directories (total of 0 B). 0 errors occurred.
fedora-42-minimal-clone-1:err: Importing OpenPGP key 0x8E34D89F:
fedora-42-minimal-clone-1:err:  UserID     : "Qubes OS Release 4.2 Signing Key"
fedora-42-minimal-clone-1:err:  Fingerprint: 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
fedora-42-minimal-clone-1:err:  From       : file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary
fedora-42-minimal-clone-1:err: Is this ok [y/N]: Failed to download metadata (baseurl: "https://yum.qubes-os.org/r4.2/current-testing/vm/fc42") for repository "qubes-vm-r4.2-current-testing"
fedora-42-minimal-clone-1:err:  Librepo error: repomd.xml GPG signature verification error: Signing key not found
fedora-42-minimal-clone-1:err: Importing OpenPGP key 0x8E34D89F:
fedora-42-minimal-clone-1:err:  UserID     : "Qubes OS Release 4.2 Signing Key"
fedora-42-minimal-clone-1:err:  Fingerprint: 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
fedora-42-minimal-clone-1:err:  From       : file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary
fedora-42-minimal-clone-1:err: The key was successfully imported.
fedora-42-minimal-clone-1:out: 
fedora-42-minimal-clone-1:err: 

[user@dom0 ~]$ echo $?
23

23 is ERR_VM_REFRESH. If I retry the qubes-vm-update command, it succeeds:

[user@dom0 ~]$ qubes-vm-update --verbose --targets fedora-42-minimal-clone-1
fedora-42-minimal-clone-1 (success):   0%|                                                                                                                            | 0/100 [00:25<?, ?it/s]
fedora-42-minimal-clone-1:out: Refreshing package info
fedora-42-minimal-clone-1:out: Removed 0 files, 0 directories (total of 0 B). 0 errors occurred.
fedora-42-minimal-clone-1:out: krb5-libs.i686   1.21.3-6.fc42 updates
fedora-42-minimal-clone-1:out: krb5-libs.x86_64 1.21.3-6.fc42 updates
fedora-42-minimal-clone-1:err: Updating and loading repositories:
fedora-42-minimal-clone-1:err: Repositories loaded.
fedora-42-minimal-clone-1:out: Package                Arch   Version       Repository      Size
fedora-42-minimal-clone-1:err: Total size of inbound packages is 2 MiB. Need to download 2 MiB.
fedora-42-minimal-clone-1:err: After this operation, 12 KiB will be freed (install 5 MiB, remove 5 MiB).
fedora-42-minimal-clone-1:out: Upgrading:
fedora-42-minimal-clone-1:out:  krb5-libs             i686   1.21.3-6.fc42 updates      2.3 MiB
fedora-42-minimal-clone-1:out:    replacing krb5-libs i686   1.21.3-5.fc42 <unknown>    2.3 MiB
fedora-42-minimal-clone-1:out:  krb5-libs             x86_64 1.21.3-6.fc42 updates      2.3 MiB
fedora-42-minimal-clone-1:out:    replacing krb5-libs x86_64 1.21.3-5.fc42 <unknown>    2.3 MiB
fedora-42-minimal-clone-1:out: Transaction Summary:
fedora-42-minimal-clone-1:out:  Upgrading:          2 packages
fedora-42-minimal-clone-1:out:  Replacing:          2 packages
fedora-42-minimal-clone-1:err: [1/2] krb5-libs-0:1.21.3-6.fc42.x86_64  100% | 197.3 KiB/s | 759.8 KiB |  00m04s
fedora-42-minimal-clone-1:err: [2/2] krb5-libs-0:1.21.3-6.fc42.i686    100% | 209.2 KiB/s | 808.8 KiB |  00m04s
fedora-42-minimal-clone-1:err: --------------------------------------------------------------------------------
fedora-42-minimal-clone-1:err: [2/2] Total                             100% | 327.5 KiB/s |   1.5 MiB |  00m05s
fedora-42-minimal-clone-1:err: Running transaction
fedora-42-minimal-clone-1:err: [1/6] Verify package files              100% | 250.0   B/s |   2.0   B |  00m00s
fedora-42-minimal-clone-1:err: [2/6] Prepare transaction               100% |  55.0   B/s |   4.0   B |  00m00s
fedora-42-minimal-clone-1:err: [3/6] Upgrading krb5-libs-0:1.21.3-6.fc 100% |  45.8 MiB/s |   2.3 MiB |  00m00s
fedora-42-minimal-clone-1:err: [4/6] Upgrading krb5-libs-0:1.21.3-6.fc 100% |  74.7 MiB/s |   2.3 MiB |  00m00s
fedora-42-minimal-clone-1:err: [5/6] Removing krb5-libs-0:1.21.3-5.fc4 100% |   2.6 KiB/s |  64.0   B |  00m00s
fedora-42-minimal-clone-1:err: [6/6] Removing krb5-libs-0:1.21.3-5.fc4 100% |   7.0   B/s |  64.0   B |  00m09s
fedora-42-minimal-clone-1:err: Complete!
fedora-42-minimal-clone-1:out: Installed packages:
fedora-42-minimal-clone-1:out: None
fedora-42-minimal-clone-1:out: Updated packages:
fedora-42-minimal-clone-1:out: krb5-libs 1.21.3-5.fc42', '1.21.3-5.fc42 -> 1.21.3-6.fc42', '1.21.3-6.fc42
fedora-42-minimal-clone-1:out: Removed packages:
fedora-42-minimal-clone-1:out: None
fedora-42-minimal-clone-1:out: 
fedora-42-minimal-clone-1:err: 

[user@dom0 ~]$ echo $?
0

rustybird avatar Jun 09 '25 13:06 rustybird

because it doesn't exist yet for R4.2

Fixed.

marmarek avatar Jun 09 '25 16:06 marmarek

After enabling only current-testing but not security-testing, qubes-vm-update still fails. Maybe it's confused by the repo signing key being imported?

@piotrbartman any idea? it looks like it did imported the key in the end, but maybe it remembered failed result at this point already?

marmarek avatar Jun 09 '25 16:06 marmarek

@andrewdavidwong fedora-42 templates are ready for testing, both for R4.3 (available for some time already) and R4.2 (just built)

Testing team announcement: https://forum.qubes-os.org/t/fedora-42-templates-available-for-testing/34315

andrewdavidwong avatar Jun 09 '25 18:06 andrewdavidwong

~~The script utility (needed for use as an updatevm by qubes-dom0-update) is missing in the -minimal flavor because it has been moved into the new util-linux-script subpackage.~~

rustybird avatar Jun 09 '25 20:06 rustybird

Do you have qubes-core-agent-dom0-updates package installed? It should pull it in: https://github.com/QubesOS/qubes-core-agent-linux/pull/561 (and it got backported to R4.2 too).

marmarek avatar Jun 09 '25 21:06 marmarek

Do you have qubes-core-agent-dom0-updates package installed?

Oops, I do have a shell script that installs the package but this shell script itself used the script utility and confused me.

rustybird avatar Jun 10 '25 00:06 rustybird

how qubes-vm-update --force-upgrade --verbose --targets fedora-42-minimal-clone-1 behaves? You still need to run it twice? what's in the logs /var/log/qubes/update-fedora-42-minimal-clone-1.log (maybe it's worthy to add --log=DEBUG flag)

piotrbartman avatar Jun 10 '25 09:06 piotrbartman

how qubes-vm-update --force-upgrade --verbose --targets fedora-42-minimal-clone-1 behaves? You still need to run it twice?

--force-upgrade makes the upgrade go through the first time, but with exit status 23 nevertheless.

what's in the logs /var/log/qubes/update-fedora-42-minimal-clone-1.log (maybe it's worthy to add --log=DEBUG flag)

--log=DEBUG just shows dnf -q check-update --setopt=skip_if_unavailable=0 failing with exit status 1: update-fedora-42-minimal-clone-3.log

Interestingly, fedora-42-xfce-4.2.0-202506082132 doesn't have this problem on enabling the current-testing repo. With -xfce, for some reason dnf via qubes-vm-update also imports the rpmfusion nonfree and free keys (even though those repos are disabled!):

[user@dom0 ~]$ qvm-clone fedora-42-xfce fedora-42-xfce-clone-4
fedora-42-xfce-clone-4: Cloning private volume
fedora-42-xfce-clone-4: Cloning root volume

[user@dom0 ~]$ qvm-run -u root fedora-42-xfce-clone-4 dnf config-manager setopt 'qubes-vm-*-current-testing.enabled=1'

[user@dom0 ~]$ qubes-vm-update --verbose --log=DEBUG --targets fedora-42-xfce-clone-4
fedora-42-xfce-clone-4 (success): 100%|███████████████████████████████████████████████████████████████████████████████████████████| 100.0/100 [06:51<00:00,  4.11s/it]
fedora-42-xfce-clone-4:out: Refreshing package info
fedora-42-xfce-clone-4:out: Fetching packages:
fedora-42-xfce-clone-4:out: vte-profile-0.80.2-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: rpmfusion-nonfree-release-42-1.noarch.rpm: Fetched
fedora-42-xfce-clone-4:out: mesa-libgbm-25.0.7-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: vte291-0.80.2-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: mesa-va-drivers-25.0.7-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: krb5-libs-1.21.3-6.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: mesa-filesystem-25.0.7-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: mesa-libEGL-25.0.7-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: rpmfusion-free-release-42-1.noarch.rpm: Fetched
fedora-42-xfce-clone-4:out: mesa-libGL-25.0.7-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: krb5-libs-1.21.3-6.fc42.i686.rpm: Fetched
fedora-42-xfce-clone-4:out: mesa-vulkan-drivers-25.0.7-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:out: mesa-dri-drivers-25.0.7-2.fc42.x86_64.rpm: Fetched
fedora-42-xfce-clone-4:err: Importing GPG key 0x94843C65:
fedora-42-xfce-clone-4:err:  Userid     : "RPM Fusion nonfree repository for Fedora (2020) <[email protected]>"
fedora-42-xfce-clone-4:err:  Fingerprint: 79BD B88F 9BBF 7391 0FD4 095B 6A2A F961 9484 3C65
fedora-42-xfce-clone-4:err:  From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-42
fedora-42-xfce-clone-4:err: Importing GPG key 0xD651FF2E:
fedora-42-xfce-clone-4:err:  Userid     : "RPM Fusion free repository for Fedora (2020) <[email protected]>"
fedora-42-xfce-clone-4:err:  Fingerprint: E9A4 91A3 DE24 7814 E7E0 67EA E06F 8ECD D651 FF2E
fedora-42-xfce-clone-4:err:  From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-42
fedora-42-xfce-clone-4:out: Updating packages.
fedora-42-xfce-clone-4:out: mesa-filesystem-25.0.7-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: mesa-libgbm-25.0.7-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: mesa-dri-drivers-25.0.7-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: vte-profile-0.80.2-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: vte291-0.80.2-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: mesa-libEGL-25.0.7-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: mesa-libGL-25.0.7-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: mesa-va-drivers-25.0.7-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: mesa-vulkan-drivers-25.0.7-2.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: rpmfusion-nonfree-release-42-1.noarch: Upgrade
fedora-42-xfce-clone-4:out: rpmfusion-free-release-42-1.noarch: Upgrade
fedora-42-xfce-clone-4:out: krb5-libs-1.21.3-6.fc42.x86_64: Upgrade
fedora-42-xfce-clone-4:out: krb5-libs-1.21.3-6.fc42.i686: Upgrade
fedora-42-xfce-clone-4:out: mesa-va-drivers-25.0.7-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: rpmfusion-nonfree-release-42-0.2.noarch: Upgraded
fedora-42-xfce-clone-4:out: rpmfusion-free-release-42-0.2.noarch: Upgraded
fedora-42-xfce-clone-4:out: krb5-libs-1.21.3-5.fc42.i686: Upgraded
fedora-42-xfce-clone-4:out: mesa-libEGL-25.0.7-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: mesa-libGL-25.0.7-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: mesa-libgbm-25.0.7-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: mesa-dri-drivers-25.0.7-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: vte291-0.80.2-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: mesa-vulkan-drivers-25.0.7-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: mesa-filesystem-25.0.7-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: vte-profile-0.80.2-1.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: krb5-libs-1.21.3-5.fc42.x86_64: Upgraded
fedora-42-xfce-clone-4:out: Updated
fedora-42-xfce-clone-4:out: Installed packages:
fedora-42-xfce-clone-4:out: None
fedora-42-xfce-clone-4:out: Updated packages:
fedora-42-xfce-clone-4:out: gpg-pubkey 105ef944-65ca83d1', '8e34d89f-633c3eb9', '7bb6de87-593f289b', '44606ab9-635a7129', '7f3fada4-6616f727 -> 105ef944-65ca83d1', '8e34d89f-633c3eb9', '7bb6de87-593f289b', '44606ab9-635a7129', '7f3fada4-6616f727', '94843c65-5dadbc64', 'd651ff2e-5dadbbc1
fedora-42-xfce-clone-4:out: mesa-filesystem 25.0.7-1.fc42 -> 25.0.7-2.fc42
fedora-42-xfce-clone-4:ot: mesa-libgbm 25.0.7-1.fc42 -> 25.0.7-2.fc42
fedora-42-xfce-clone-4:out: mesa-dri-drivers 25.0.7-1.fc42 -> 25.0.7-2.fc42
fedora-42-xfce-clone-4:out: vte-profile 0.80.2-1.fc42 -> 0.80.2-2.fc42
fedora-42-xfce-clone-4:out: vte291 0.80.2-1.fc42 -> 0.80.2-2.fc42
fedora-42-xfce-clone-4:out: mesa-libEGL 25.0.7-1.fc42 -> 25.0.7-2.fc42
fedora-42-xfce-clone-4:out: mesa-libGL 25.0.7-1.fc42 -> 25.0.7-2.fc42
fedora-42-xfce-clone-4:out: mesa-va-drivers 25.0.7-1.fc42 -> 25.0.7-2.fc42
fedora-42-xfce-clone-4:out: mesa-vulkan-drivers 25.0.7-1.fc42 -> 25.0.7-2.fc42
fedora-42-xfce-clone-4:out: rpmfusion-nonfree-release 42-0.2 -> 42-1
fedora-42-xfce-clone-4:out: rpmfusion-free-release 42-0.2 -> 42-1
fedora-42-xfce-clone-4:out: krb5-libs 1.21.3-5.fc42', '1.21.3-5.fc42 -> 1.21.3-6.fc42', '1.21.3-6.fc42
fedora-42-xfce-clone-4:out: Removed packages:
fedora-42-xfce-clone-4:out: None
fedora-42-xfce-clone-4:err: Importing OpenPGP key 0x8E34D89F:
fedora-42-xfce-clone-4:err:  UserID     : "Qubes OS Release 4.2 Signing Key"
fedora-42-xfce-clone-4:err:  Fingerprint: 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
fedora-42-xfce-clone-4:err:  From       : file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary
fedora-42-xfce-clone-4:err: The key was successfully imported.
fedora-42-xfce-clone-4:out: 
fedora-42-xfce-clone-4:err: 

[user@dom0 ~]$ echo $?
0

rustybird avatar Jun 10 '25 12:06 rustybird

--log=DEBUG just shows dnf -q check-update --setopt=skip_if_unavailable=0 failing with exit status 1: update-fedora-42-minimal-clone-3.log

I guess this should have also --assumeyes

With -xfce, for some reason dnf via qubes-vm-update also imports the rpmfusion nonfree and free keys (even though those repos are disabled!):

Ugh, that's bad. I guess something went wrong with python dnf API usage and repo enabled flag is ignored...

marmarek avatar Jun 10 '25 12:06 marmarek

With --assumeyes added to /usr/lib/python3.11/site-packages/vmupdate/agent/source/dnf/dnf_cli.py, the -minimal upgrade succeeds. Weird that it's not necessary for -xfce though.

I vaguely remember the equivalent option being controversial for apt because it might answer yes to some "Are you sure you want to ignore this security problem?" type question.

rustybird avatar Jun 10 '25 12:06 rustybird

With -xfce, for some reason dnf via qubes-vm-update also imports the rpmfusion nonfree and free keys (even though those repos are disabled!)

I guess something went wrong with python dnf API usage and repo enabled flag is ignored...

This doesn't happen if enabled=0 is set in the actual .repo files in /etc/yum.repos.d/, instead of /etc/dnf/repos.override.d/99-config_manager.repo.

Maybe repos.override.d/ has to be loaded explicitly somehow?

rustybird avatar Jun 26 '25 10:06 rustybird

repo.override.d is a DNF5 thing, and the qubes-vm-update got support for it relatively recently. In fact, it looks like this support isn't backported to R4.2 yet.

marmarek avatar Jun 26 '25 12:06 marmarek

Oh right, so the problem also affects the Fedora 41 templates on R4.2. It's just not visible, because none of the preinstalled packages currently have an update from RPM Fusion.

On fedora-42-xfce-4.2.0-202506082132 there are updates for rpmfusion-[non]free-release from the old version 42-0.2 preinstalled from @commandline to the new version 42-1 provided by the respective RPM Fusion repositories themselves.

rustybird avatar Jun 26 '25 14:06 rustybird

I think it's more than ready to move it to stable. @andrewdavidwong can you prepare the announcement?

marmarek avatar Jul 25 '25 02:07 marmarek