Update Fedora-30 based VMs to Fedora 31

[emkll]

Fedora 30 TemplateVMs go end-of-life at the end of this month[1] . We should ensure the Fedora 31 template is added and all workstation-relevant VMs use the Fedora 31 Template.

[1] : https://www.qubes-os.org/news/2020/04/30/fedora-31-template-available/

[eloquence]

Is this a change that we expect will be fully automatic from the admin's perspective (shipped via RPM & updater enforcing dom0 state), or do we already know that additional manual steps will be required?

[emkll]

It seems like most of the logic in place from the Fedora 29 to Fedora 30 transition is working properly here for the move to Fedora 31.

With a one line diff to the salt logic (and test fixes), I was able to provision a workstation using fedora-31 system VMs.

We would need to enforce this sd-sys-vms state as part of the graphical updater flow, and ensure the logging output would allow us to debug potential errors.

This does not update unmanaged fedora-30 VMs (work, vault or other), and does not remove the fedora-30 template from the system.

Otherwise, this seems like a change we could fully automate as part of the regular update flow.

diff --git a/dom0/sd-sys-vms.sls b/dom0/sd-sys-vms.sls
index 5599f82..d1ae401 100644
--- a/dom0/sd-sys-vms.sls
+++ b/dom0/sd-sys-vms.sls
@@ -9,7 +9,7 @@ include:
   # is created.
   - qvm.default-dispvm
 
-{% set sd_supported_fedora_version = 'fedora-30' %}
+{% set sd_supported_fedora_version = 'fedora-31' %}
 
 # Install latest templates required for SDW VMs.
 dom0-install-fedora-template:
diff --git a/tests/test_qubes_vms.py b/tests/test_qubes_vms.py
index e103196..820404c 100644
--- a/tests/test_qubes_vms.py
+++ b/tests/test_qubes_vms.py
@@ -3,7 +3,7 @@ import unittest
 from qubesadmin import Qubes
 
 
-CURRENT_FEDORA_VERSION = "30"
+CURRENT_FEDORA_VERSION = "31"
 CURRENT_WHONIX_VERSION = "15"
 
 
user@dev:~/src/securedrop-workstation$ git diff
diff --git a/dom0/sd-sys-vms.sls b/dom0/sd-sys-vms.sls
index 5599f82..d1ae401 100644
--- a/dom0/sd-sys-vms.sls
+++ b/dom0/sd-sys-vms.sls
@@ -9,7 +9,7 @@ include:
   # is created.
   - qvm.default-dispvm
 
-{% set sd_supported_fedora_version = 'fedora-30' %}
+{% set sd_supported_fedora_version = 'fedora-31' %}
 
 # Install latest templates required for SDW VMs.
 dom0-install-fedora-template:
diff --git a/tests/test_qubes_vms.py b/tests/test_qubes_vms.py
index e103196..820404c 100644
--- a/tests/test_qubes_vms.py
+++ b/tests/test_qubes_vms.py
@@ -3,7 +3,7 @@ import unittest
 from qubesadmin import Qubes
 
 
-CURRENT_FEDORA_VERSION = "30"
+CURRENT_FEDORA_VERSION = "31"
 CURRENT_WHONIX_VERSION = "15"
 
 
diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py
index 64274f2..ede5ed5 100644
--- a/tests/test_vms_platform.py
+++ b/tests/test_vms_platform.py
@@ -193,7 +193,7 @@ class SD_VM_Platform_Tests(unittest.TestCase):
             "sys-usb",
         ]
         for vm in sys_vms:
-            wanted_template = "fedora-30"
+            wanted_template = "fedora-31"
             found_template = self.app.domains[vm].template.name
             self.assertEqual(wanted_template, found_template)

[emkll]

It appears #555 also resolves the upgrade case 🎉 . Tested by installing an RPM built on latest master on a 0.2.4 install, and running the Preflight Updater.

After a 20 min Preflight Updater run, Fedora-31 TemplateVM is installed, and sys-net, sys-firewall, sys-usb and default-mgmt-dvm all use the Fedora-31 template

Two findings:

• work and vault are still using fedora-30 (we allude to these in the documentation), which warrants a follow up. The challenge will be for the clean install scenario, where we need the rely on the work VM to download the RPM as part of the bootstrap process.

• The Fedora-31 Template is not immediately updated after being installed,

[emkll]

With #588 handling the first install update case, the outstanding issue would be to provide guidance to both new and existing users to update their work and vault VMs, used at install time and referred to in the docs, to Fedora 31.

The Qubes Project announcement [1] does not say if/when an ISO containing fedora-31 will be released. From QubesOS/qubes-issues#5289 , it seems like F31 was initially targeted for Qubes 4.1, but that release will be coming later this year. It is not clear if a 4.0.4 Qubes ISO will be released before the end-of-life date (May 26).

In the meantime, we can provide guidance to:

1. Install the template in dom0:

sudo qubes-dom0-update qubes-template-fedora-31

2. Update the Template
3. Manually change the work and vault VMs to Fedora-31 (optionally sys-net, sys-usb and sys-firewall, but they be swapped to fedora-31 automatically when provisioning the workstation)

[1] : https://www.qubes-os.org/news/2020/04/30/fedora-31-template-available/

[emkll]

Now that #555 and #558 have been merged, the final task would be to ensure users setting up the workstation for the first time don't used EOL TemplateVMs. We should consider a small docs update containing the recommendations above.

[eloquence]

Docs updates were merged per freedomofpress/securedrop-workstation-docs#45, closing this out.