Use Fedora-35 template (Qubes 4.0 and 4.1)

[rocodes]

Status

On hold until f35 template moves out of testing repo (see QubesOS/qubes-issues#6969)

Description of Changes

Fixes #763.

Changes proposed in this pull request:
Switch base template for system vms (sys-net, sys-usb, sys-firewall) to Fedora 35 for both Qubes 4.0 and 4.1.

Testing

Testing before template lands in main Qubes template repo:

• Install f35 template via sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-fedora-35
• Check out this branch in your dev vm
• make clone then sdw-admin --apply
• System templates are switched to fedora-35
• make test passes in dom0 (:exclamation: I'm not sure this is possible right now, I think there are preexisting test failures, at least that I'm seeing - will update)
• Basic functionality (network connectivity, attaching/detaching devices via sys-usb) is working
• New Fedora-35 DVM is created and displays in appmenu; other fedora dispvms can still be opened
• default-mgmt-dvm is fedora-35, as are templates for sys-net, sys-usb, sys-firewall

Testing after template lands:

• Skip the first step, run through test plan

Clean install testing (after template lands)

• Clean installs on 4.0 and 4.1 are successful and base template is fedora-35 after sdw-admin --apply has been run

Installation Notes:

• On both new installs and upgrades will likely run into a PCI error with sys-net that will require you to set the no-strict-reset option in order for sys-net to boot successfully. In my case, I had to set this option and then reboot my machine, then rerun sdw-admin --apply.

Deployment

Any special considerations for deployment? Consider both:

1. Upgrading existing pilot instances (May need to communicate PCI workaround via support channels)
2. New installs

Checklist

If you have made changes to the provisioning logic

• All tests (make test) pass in dom0

If you have added or removed files

• I have updated MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec

If documentation is required

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation

[sssoleileraaa]

When this gets released, let's branch from the last tag to avoid pulling in 4.1 changes (even though nothing should break).

[rocodes]

(Fedora 35 template is now in Qubes 4.0 main repo, and has been in 4.1 repo for a few days.) I still haven't been able to download it via sudo qubes-dom0-update qubes-template-fedora-35 even after cleaning the cache, but just gonna give it a couple hours.)

[sssoleileraaa]

Testing

Testing before template lands in main Qubes template repo:

• Install f35 template via sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-fedora-35
• Check out this branch in your dev vm
• make clone then sdw-admin --apply
• System templates are switched to fedora-35
• make test passes in dom0 without any unexpected failures

  I didn't see any unexpected failures (keyring test that checks for the 2023 expiration date is expected to fail until we release the keyring packages for instance)

• Basic functionality (network connectivity, attaching/detaching devices via sys-usb) is working
• New Fedora-35 DVM is created and displays in appmenu; other fedora dispvms can still be opened
• default-mgmt-dvm is fedora-35, as are templates for sys-net, sys-usb, sys-firewall (for default-mgmt-dvm I just checked /etc/os-release since it's hidden from the qubes menu

[rocodes]

(Leaving a note for posterity/for people doing future template testing and upgrades that if you previously installed the f35 testing template, even if you uninstall it before installing the stable template, you need to use the --action=upgrade flag in order not to get the message Unable to find a match for template.)