QubesOS
Document behavior of `/etc/qubes-rpc/qubes.PostInstall` in Debian qubes
Qubes OS release
4.2, probably 4.3
Brief summary
See post on forum: https://forum.qubes-os.org/t/how-can-i-execute-a-script-after-each-update/25904/9
On Fedora after a successful dnf install or dnf remove a hook runs /etc/qubes-rpc/qubes.PostInstall which executes each *.sh script in /etc/qubes/post-install.d/. I think the same is intended to happen on Debian- a dpkg hook locally runs the rpc. But it appears to not be implemented, or only implemented for the qubes-core-agent package (based on a brief grep of outdated repos).
Steps to reproduce
Using a clean clone of debian-13-minimal:
root@testvm:~# cat /etc/qubes/post-install.d/31-testing.sh
#!/bin/sh
touch /root/ran-post-install
root@testvm:~# stat -c '%A' /etc/qubes/post-install.d/31-testing.sh
-rwxr-xr-x
root@testvm:~# ls /root
root@testvm:~# apt install -q -y tree
Reading package lists...
Building dependency tree...
Reading state information...
Installing:
tree
Summary:
Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0
# <snip>
root@testvm:~# ls /root
root@testvm:~#
# nothing -- post-install.d script did not run :(
Expected behavior
The /etc/qubes/post-install.d/31-testing.sh script I added should have been executed.
Actual behavior
None of the scripts in /etc/qubes/post-install.d were run.
Additional information
If I run /etc/qubes-rpc/qubes.PostInstall explicitly:
root@testvm~# /etc/qubes-rpc/qubes.PostInstall
root@testvm:~# ls /root
ran-post-install
So the post-install.d script I added does work. It appears that the qubes.PostInstall step does not run on Debian after package installation/removal.
A bit of historical context: initially qubes.PostInstall service was meant to be called just once, after template installation. But later it got re-used for other purposes, so it might be called inconsistent for that reason.
One of those other purposes is refreshing list of application menu entries. Dpkg provides a mechanism to register hooks for specific directories, so qubes-core-agent monitors /usr/share/applications. DNF doesn't have such functionality, so qubes.PostInstall gets called after each update.
What is getting called after each update for both Fedora and Debian is reporting update status. But that mechanism doesn't allow plugging any extra scripts.
Since people want to use qubes.PostInstall for more things, I guess it can be made to run each time in Debian too.
I see. So the implementation on Debian is more surgical than on Fedora, it accomplishes what it is intended to do. And the expectation about what /etc/qubes/post-install.d is for is based on propagation of folk wisdom / user experience on the more widely used Fedora templates (+ somewhat ambiguous README).
I think personally I am indifferent to whether this is made consistent. Debian provides a non-Qubes mechanism for this same functionality:
/etc/dpkg/dpkg.cfg.d/31-foo-post-install-hook:
post-invoke=<some script with a switch/case on $DPKG_HOOK_ACTION>
Maybe it is enough that the behavior has been clarified here, plus a small docs-only pull request.