Merge branch 'QubesOS:main' into main

.gitlab-ci.yml

@@ -3,3 +3,19 @@ include:
   project: QubesOS/qubes-continuous-integration
 - file: /r4.2/gitlab-host.yml
   project: QubesOS/qubes-continuous-integration
+
+checks:tests:
+  stage: checks
+  variables:
+    PYTEST_ADDOPTS: "--color=yes"
+  before_script: &before-script
+    - "PATH=$PATH:$HOME/.local/bin"
+    - sudo dnf install -y python3-pytest python3-coverage
+    - pip3 install --quiet -r ci/requirements.txt
+    - git clone https://github.com/QubesOS/qubes-core-admin-client ~/core-admin-client
+  script:
+    - export PATH="$HOME/.local/bin:$PATH"
+    - PYTHONPATH=~/core-admin-client ./run-tests.sh
+  after_script:
+    - "PATH=$PATH:$HOME/.local/bin"
+    - ci/codecov-wrapper

ci/codecov-keys.asc

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCsMn0BEACiCKZOhkbhUjb+obvhH49p3ShjJzU5b/GqAXSDhRhdXUq7ZoGq
+KEKCd7sQHrCf16Pi5UVacGIyE9hS93HwY15kMlLwM+lNeAeCglEscOjpCly1qUIr
+sN1wjkd2cwDXS6zHBJTqJ7wSOiXbZfTAeKhd6DuLEpmA+Rz4Yc+4qZP+fVxVG3Pv
+2v06m+E5CP/JQVQPO8HYi+S36hJImTh+zaDspu+VujSai5KzJ6YKmgwslVNIp5X5
+GnEr2uAh5w6UTnt9UQUjFFliAvQ3lPLWzm7DWs6AP9hslYxSWzwbzVF5qbOIjUJL
+KfoUpvCYDs2ObgRn8WUQO0ndkRCBIxhlF3HGGYWKQaCEsiom7lyi8VbAszmUCDjw
+HdbQHFmm5yHLpTXJbg+iaxQzKnhWVXzye5/x92IJmJswW81Ky346VxYdC1XFL/+Y
+zBaj9oMmV7WfRpdch09Gf4TgosMzWf3NjJbtKE5xkaghJckIgxwzcrRmF/RmCJue
+IMqZ8A5qUUlK7NBzj51xmAQ4BtkUa2bcCBRV/vP+rk9wcBWz2LiaW+7Mwlfr/C/Q
+Swvv/JW2LsQ4iWc1BY7m7ksn9dcdypEq/1JbIzVLCRDG7pbMj9yLgYmhe5TtjOM3
+ygk25584EhXSgUA3MZw+DIqhbHQBYgrKndTr2N/wuBQY62zZg1YGQByD4QARAQAB
+tEpDb2RlY292IFVwbG9hZGVyIChDb2RlY292IFVwbG9hZGVyIFZlcmlmaWNhdGlv
+biBLZXkpIDxzZWN1cml0eUBjb2RlY292LmlvPokCTgQTAQoAOBYhBCcDTn/bhQ4L
+vCxi/4Brsortd5hpBQJgrDJ9AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
+EIBrsortd5hpxLMP/3Fbgx5EG7zUUOqPZ+Ya9z8JlZFIkh3FxYMfMFE8jH9Es26F
+V2ZTJLO259MxM+5N0XzObi3h4XqIzBn42pDRfwtojY5wl2STJ9Bzu+ykPog7OB1u
+yfWXDRKcqPTUIxI1/WdU+c0/WNE6wjyzK+lRc1YUlp4pdNU7l+j2vKN+jGi2b6nV
+PTPRsMcwy3B90fKf5h2wNMNqO+KX/rjgpG9Uhej+xyFWkGM1tZDQQYFj+ugQUj61
+BMsQrUmxOnaVVnix21cHnACDCaxqgQZH3iZyEOKPNMsRFRP+0fLEnUMP+DVnQE6J
+Brk1Z+XhtjGI9PISQVx5KKDKscreS/D5ae2Cw/FUlQMf57kir6mkbZVhz2khtccz
+atD0r59WomNywIDyk1QfAKV0+O0WeJg8A69/Jk6yegsrUb5qEfkih/I38vvI0OVL
+BYve/mQIHuQo5ziBptNytCrN5TXHXzguX9GOW1V1+3DR+w/vXcnz67sjlYDysf1f
+JUZv9edZ2RGKW7agbrgOw2hB+zuWZ10tjoEcsaSGOLtKRGFDfmu/dBxzl8yopUpa
+Tn79QKOieleRm5+uCcKCPTeKV0GbhDntCZJ+Yiw6ZPmrpcjDowAoMQ9kiMVa10+Q
+WwwoaRWuqhf+dL6Q2OLFOxlyCDKVSyW0YF4Vrf3fKGyxKJmszAL+NS1mVcdxuQIN
+BGCsMn0BEADLrIesbpfdAfWRvUFDN+PoRfa0ROwa/JOMhEgVsowQuk9No8yRva/X
+VyiA6oCq6na7IvZXMxT7di4FWDjDtw5xHjbtFg336IJTGBcnzm7WIsjvyyw8kKfB
+8cvG7D2OkzAUF8SVXLarJ1zdBP/Dr1Nz6F/gJsx5+BM8wGHEz4DsdMRV7ZMTVh6b
+PaGuPZysPjSEw62R8MFJ1fSyDGCKJYwMQ/sKFzseNaY/kZVR5lq0dmhiYjNVQeG9
+HJ6ZCGSGT5PKNOwx/UEkT6jhvzWgfr2eFVGJTcdwSLEgIrJIDzP7myHGxuOiuCmJ
+ENgL1f7mzGkJ/hYXq1RWqsn1Fh2I9KZMHggqu4a+s3RiscmNcbIlIhJLXoE1bxZ/
+TfYZ9Aod6Bd5TsSMTZNwV2am9zelhDiFF60FWww/5nEbhm/X4suC9W86qWBxs3Kh
+vk1dxhElRjtgwUEHA5OFOO48ERHfR7COH719D/YmqLU3EybBgJbGoC/yjlGJxv0R
+kOMAiG2FneNKEZZihReh8A5Jt6jYrSoHFRwL6oJIZfLezB7Rdajx1uH7uYcUyIaE
+SiDWlkDw/IFM315NYFA8c1TCSIfnabUYaAxSLNFRmXnt+GQpm44qAK1x8EGhY633
+e5B4FWorIXx0tTmsVM4rkQ6IgAodeywKG+c2Ikd+5dQLFmb7dW/6CwARAQABiQI2
+BBgBCgAgFiEEJwNOf9uFDgu8LGL/gGuyiu13mGkFAmCsMn0CGwwACgkQgGuyiu13
+mGkYWxAAkzF64SVpYvY9nY/QSYikL8UHlyyqirs6eFZ3Mj9lMRpHM2Spn9a3c701
+0Ge4wDbRP2oftCyPP+p9pdUA77ifMTlRcoMYX8oXAuyE5RT2emBDiWvSR6hQQ8bZ
+WFNXal+bUPpaRiruCCUPD2b8Od1ftzLqbYOosxr/m5Du0uahgOuGw6zlGBJCVOo7
+UB2Y++oZ8P7oDGF722opepWQ+bl2a6TRMLNWWlj4UANknyjlhyZZ7PKhWLjoC6MU
+dAKcwQUdp+XYLc/3b00bvgju0e99QgHZMX2fN3d3ktdN5Q2fqiAi5R6BmCCO4ISF
+o5j10gGU/sdqGHvNhv5C21ibun7HEzMtxBhnhGmytfBJzrsj7GOReePsfTLoCoUq
+dFMOAVUDciVfRtL2m8cv42ZJOXtPfDjsFOf8AKJk40/tc8mMMqZP7RVBr9RWOoq5
+y9D37NfI6UB8rPZ6qs0a1Vfm8lIh2/k1AFECduXgftMDTsmmXOgXXS37HukGW7AL
+QKWiWJQF/XopkXwkyAYpyuyRMZ77oF7nuqLFnl5VVEiRo0Fwu45erebc6ccSwYZU
+8pmeSx7s0aJtxCZPSZEKZ3mn0BXOR32Cgs48CjzFWf6PKucTwOy/YO0/4Gt/upNJ
+3DyeINcYcKyD08DEIF9f5tLyoiD4xz+N23ltTBoMPyv4f3X/wCQ=
+=ch7z
+-----END PGP PUBLIC KEY BLOCK-----

ci/codecov-wrapper

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -xe
+
+curl -Os https://uploader.codecov.io/latest/linux/codecov
+curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM
+curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig
+
+sqv --keyring ci/codecov-keys.asc codecov.SHA256SUM.sig codecov.SHA256SUM
+shasum -a 256 -c codecov.SHA256SUM
+
+chmod +x codecov
+
+if [[ "$CI_COMMIT_BRANCH" =~ ^pr- ]]; then
+    PR=${CI_COMMIT_BRANCH#pr-}
+    parents=$(git show -s --format='%P %ae')
+    if [ $(wc -w <<<"$parents") -eq 3 ] && [ "${parents##* }" = "fepitre-bot@qubes-os.org" ]; then
+        commit_sha=$(cut -f 2 -d ' ' <<<"${parents}")
+    else
+        commit_sha=$(git show -s --format='%H')
+    fi
+    exec ./codecov --pr "$PR" --sha "$commit_sha" "$@"
+fi
+exec ./codecov "$@"

ci/coveragerc

@@ -0,0 +1,5 @@
+[run]
+source = vmupdate
+omit =
+  vmupdate/agent/*
+  vmupdate/tests/*

ci/requirements.txt

@@ -0,0 +1,12 @@
+# WARNING: those requirements are used only for travis-ci.org
+# they SHOULD NOT be used under normal conditions; use system package manager
+docutils
+pylint
+sphinx
+python-daemon
+mock
+lxml
+PyYAML
+xcffib
+tqdm
+pyxdg

doc/tools/qubes-vm-update.rst

@@ -0,0 +1,123 @@
+===============
+qubes-vm-update
+===============
+
+NAME
+====
+qubes-vm-update - update software in virtual machines (qubes)
+
+SYNOPSIS
+========
+| qubes-vm-update [options]
+
+OPTIONS
+=======
+
+Package Manager
+---------------
+--no-refresh
+    Do not refresh available packages before upgrading vm
+--force-upgrade, -f
+    Try upgrade even if errors are encountered (like a refresh error)
+--leave-obsolete
+    Do not remove obsolete packages during upgrading
+
+Targeting
+---------
+--skip SKIP
+    Comma separated list of VMs to be skipped, works with all other options.
+--targets TARGETS
+    Comma separated list of VMs to target. Ignores conditions.
+--templates, -T
+    Target all updatable TemplateVMs.
+--standalones, -S
+    Target all updatable StandaloneVMs.
+--apps, -A
+    Target running updatable AppVMs to update in place. Updates will be lost after vm restart.
+--all
+    DEFAULT. Target all updatable VMs except AdminVM. Use explicitly with "--targets" to include both.
+
+Selecting
+---------
+--update-if-available
+    Update targeted VMs with known updates available
+--update-if-stale UPDATE_IF_STALE
+    DEFAULT. Attempt to update targeted VMs with known updates available or for which last update check was more than N days ago. (default: dom0 feature `qubes-vm-update-update-if-stale` if set or 7)
+--force-update
+    Attempt to update all targeted VMs even if no updates are available
+
+Propagation
+-----------
+--apply-to-sys, --restart, -r
+    Restart not updated ServiceVMs whose template has been updated.
+--apply-to-all, -R
+    Restart not updated ServiceVMs and shutdown not updated AppVMs whose template has been updated.
+--no-apply
+    DEFAULT. Do not restart/shutdown any AppVMs.
+
+Auxiliary
+---------
+--max-concurrency MAX_CONCURRENCY, -x MAX_CONCURRENCY
+    Maximum number of VMs configured simultaneously (default: number of cpus)
+--log LOG
+    Provide logging level. Values: DEBUG, INFO (default), WARNING, ERROR, CRITICAL
+--signal-no-updates
+    Return exit code 100 instead of 0 if there is no updates available.
+
+--no-progress
+    Do not show upgrading progress
+--dry-run
+    Just print what happens
+--no-cleanup
+    Do not remove updater files from target qube
+
+--help, -h
+    Show this help message and exit
+--quiet, -q
+    Do not print anything to stdout
+--show-output, --verbose, -v
+    Show output of management commands
+
+
+How to correctly use targeting and selection?
+
+Targeting is used to choose the VMs that will be checked for available updates, and the three-level selection is used to check if the previously chosen VMs qualify for updates (i.e., there are, for example, updates available for them).
+
+Additionally, not all VMs in the system can be updated directly (such as AppVMs), and to update them, you must use one of the "propagation" options. This means, after updating the template, restarting the VM and applying the installed updates to it. Using at least the `--apply-to-sys` flag is recommended, which restarts all service VMs. Keep in mind that during this process, unsaved data may be lost.
+
+RETURN CODES
+============
+
+0:   ok
+
+100: ok, returned if `--signal-no-updates` and no updates available
+
+1:   general error
+
+2:   usage error, unrecognized argument
+
+11:  error of TemplateVM shutdown
+
+12:  error of AppVM shutdown
+
+13:  error of AppVM startup
+
+21:  general error inside updated vm
+
+22:  error inside updated vm during updating/installing prerequisites/patches
+
+23:  repo-refresh error inside updated vm, check if vm is connected to network
+
+24:  error inside updated vm during installing updates
+
+25:  unhandled error inside updated vm
+
+40:  qrexec error, communication across domains was interrupted
+
+64:  usage error, wrong parameter value
+
+130: user interruption
+
+AUTHORS
+=======
+| Piotr Bartman-Szwarc <prbartman at invisiblethingslab dot com>