Shores up update cron logic

Still using bash, but pared down the qubesctl calls to what's strictly necessary. Also replaced pkg.upgrade with the Qubes-maintained "update.qubes-vm" Salt state, which intelligently handles Debian/Fedora VMs. It first applies critical patches, such as for DSA-4371-1/CVE-2019-3462, for patching apt, then ensures all packages are up to date.
freedomofpress · Dec 2, 2019 · 0a2a391 · 0a2a391
1 parent ef7f86f
commit 0a2a391
Showing 1 changed file with 22 additions and 15 deletions.
diff --git a/dom0/securedrop-update b/dom0/securedrop-update
@@ -31,28 +31,35 @@ function securedrop-update-feedback() {
         'SecureDrop: $msg'"
 }
 
-# `qubesctl pkg.upgrade` will automatically update dom0 packages, as well,
-# but we *first* want the freshest RPMs from dom0, *then* we'll want to
-# update the VMs themselves.
+function get_sdw_target_vms() {
+    qvm-ls --tags sd-workstation --raw-data --fields NAME,CLASS \
+        | perl -F'\|' -lanE 'say $F[0] if $F[1] eq "TemplateVM"' \
+        | perl -npE 's/\n/,/g' \
+        | perl -npE 's/,$//'
+}
+
 securedrop-update-feedback "Updating dom0 configuration..."
-sudo qubes-dom0-update -y
 
-securedrop-update-feedback "Updating application..."
+# Install latest RPMs inside dom0
+qubesctl state.sls update.qubes-dom0
+
+# Configure VM state (network settings, RPC policies)
+securedrop-update-feedback "Updating VM configuration..."
+qubesctl state.highstate
 
-# update only fedora template: dist_upgrade is required for debian package
-# upgrades and causes fedora template upgrades to fail.
+securedrop-update-feedback "Installing updates for VM applications..."
 
-qubesctl --target fedora-30 pkg.upgrade refresh=true
+qubesctl --skip-dom0 --targets fedora-30 state.sls update.qubes-vm
 
-# upgrade all (other) templates
-qubesctl --skip-dom0 --templates \
-    --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
-    pkg.upgrade refresh=true dist_upgrade=true
+# Format list of all VMs comma-separated, for use as qubesctl target
+sdw_target_vms="$(get_sdw_target_vms)"
 
-securedrop-update-feedback "Updating VM configuration..."
-qubesctl \
+# Use the Qubes-provided "update.qubes-vm" state to upgrade packages
+# Update all SDW templates.
+qubesctl --skip-dom0 \
     --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
-    state.highstate
+    --targets "$sdw_target_vms" \
+    state.sls update.qubes-vm
 
 securedrop-update-feedback \
     "Updates installed. Please reboot the workstation \