qusal/salt/sys-cacher
2024-06-24 14:32:34 +02:00
..
files fix: change Launchpad repository to HTTPS domain 2024-06-24 14:32:34 +02:00
appmenus.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
appmenus.top refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure-browser.sls fix: thunar requires xfce helpers to find terminal 2024-01-31 14:42:17 +01:00
configure-browser.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.sls feat: revive caching of Fedora qubes 2024-06-07 15:01:16 +02:00
configure.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls fix: GUI Global Config precedes packaged policies 2024-06-17 11:36:39 +02:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
deinit.top fix: uninstall cacher client with tag in pillar 2024-06-13 13:28:24 +02:00
init.top fix: skip client setup on cacher initialization 2023-12-19 21:12:07 +01:00
install-client.sls feat: revive caching of Fedora qubes 2024-06-07 15:01:16 +02:00
install-client.top fix: uninstall cacher client with tag in pillar 2024-06-13 13:28:24 +02:00
install.sls feat: revive caching of Fedora qubes 2024-06-07 15:01:16 +02:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
list-extra-tag.sls fix: use Admin API for fast queries 2024-06-13 13:29:30 +02:00
list-extra-tag.top fix: cacher: restrict install to supported clients 2024-05-29 18:29:27 +02:00
README.md feat: revive caching of Fedora qubes 2024-06-07 15:01:16 +02:00
remove-policy.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
tag.sls fix: use Admin API for fast queries 2024-06-13 13:29:30 +02:00
tag.top refactor: initial commit 2023-11-13 14:33:28 +00:00
uninstall-client.sls fix: cacher: restrict install to supported clients 2024-05-29 18:29:27 +02:00
uninstall-client.top fix: uninstall cacher client with tag in pillar 2024-06-13 13:28:24 +02:00
untag.sls fix: cacher: restrict install to supported clients 2024-05-29 18:29:27 +02:00
untag.top refactor: initial commit 2023-11-13 14:33:28 +00:00
version fix: generate RPM Specs for Qubes Builder V2 2024-06-21 17:00:06 +02:00

sys-cacher

Caching proxy server for software repositories in Qubes OS.

Table of Contents

Description

The caching proxy is "sys-cacher" based on apt-cacher-ng, it stores downloaded packages, so that you need only download a package once and fetch locally the next time you want to upgrade your system packages.

When you install this package, qubes will be tagged with "updatevm-sys-cacher" and they will be altered to use the proxy by default. When there is "https://" in your repository definitions, the entries will be changed in the templates from to "http://HTTPS///". This is so that the request to the proxy is plain text, and the proxy will then make the request via https.

This change will be done automatically for every template that exists and is not Whonix based. No changes are made to Whonix templates, and updates to those templates will not be cached.

The caching proxy supports:

  • Debian and derivatives (but not Whonix)
  • Fedora and derivatives
  • Arch Linux and derivatives

Installation

Installation may take a long time as it will target all templates unless you specify otherwise.

  • Top
sudo qubesctl top.enable sys-cacher browser
sudo qubesctl --targets=tpl-browser,sys-cacher-browser,tpl-sys-cacher,sys-cacher state.apply
sudo qubesctl top.disable sys-cacher browser
sudo qubesctl state.apply sys-cacher.appmenus,sys-cacher.tag
sudo qubesctl --skip-dom0 --targets="$(qvm-ls --no-spinner --raw-list --tags updatevm-sys-cacher | tr "\n" ",")" state.apply sys-cacher.install-client
  • State
sudo qubesctl state.apply sys-cacher.create
sudo qubesctl --skip-dom0 --targets=tpl-browser state.apply browser.install
sudo qubesctl --skip-dom0 --targets=tpl-sys-cacher state.apply sys-cacher.install
sudo qubesctl --skip-dom0 --targets=sys-cacher state.apply sys-cacher.configure
sudo qubesctl --skip-dom0 --targets=sys-cacher-browser state.apply sys-cacher.configure-browser
sudo qubesctl state.apply sys-cacher.appmenus,sys-cacher.tag
sudo qubesctl --skip-dom0 --targets="$(qvm-ls --no-spinner --raw-list --tags updatevm-sys-cacher | tr "\n" ",")" state.apply sys-cacher.install-client

Access control

The distributed policy will take precedence over the ones set during first installation or the GUI Global Config. If you want to use sys-cacher and edit configuration for certain qubes to update over different proxys, you can do so.

Allow qubes with tag whonix-updatevm to use the proxy in sys-alt-whonix and qube dev to use the proxy in disp-sys-net.

qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-alt-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm   deny
qubes.UpdatesProxy * dev @default allow target=disp-sys-net
qubes.UpdatesProxy * dev @anyvm   deny

Usage

Report Page and Maintenance Tasks

The report page is available from sys-cacher and sys-cacher-browser at http://127.0.0.1:8082/acng-report.html and any other client qube that has sys-cacher as it's update qube. This is apt-cacher-ng limitation and is bad security wise, every client has administrative access to the cacher qube. You should add the following to the end of sys-cacher rc.local:

echo "AdminAuth: username:password" | tee /etc/qubes-apt-cacher-ng/zzz_security.conf

Where username and password are HTTP Auth strings.

If you want to view statistics or manage the server through a GUI, open sys-cacher or sys-cacher-browser desktop file cacher-browser.desktop from Dom0. Addresses starting with http or https will be redirected to sys-cacher-browser.

The browser separation from the server is to avoid browsing malicious sites and exposing the browser to direct network on the same machine the server is running. The browser qube is offline and only has access to the admin interface. In other words, it has control over the server functions, if the browser is compromised, it can compromise the server.

Connect to the cacher via IP instead of Qrexec

Because the sys-cacher qube is listening on port 8082, you can use it from non-template qubes and qubes that do not have a working Qrexec. Use the native configuration to set the update proxy using the IP address of sys-cacher by setting sys-cacher as the netvm of the client qube.

Set sys-cacher as the netvm of your qube:

qvm-prefs QUBE netvm sys-cacher

Enable the service netvm-cacher:

qvm-features QUBE service.netvm-cacher 1

Copy apt-cacher-ng-repo to your qube and set the script to run on boot. Make sure that the file /var/run/qubes-service/netvm-cacher exists on every startup for the proxy address change take effect.

The qube has to be restarted for changes to take effect.

Non-TemplateVMs integration

Attention: this method will allow a client qube to bypass the qubes firewall and connect to a remote host via the updates proxy.

By default, only templates will use the proxy to update, if you want to cache non-TemplateVMs updates or simply make them functional again, the qube will need the service.updates-proxy-setup feature set:

qvm-tags QUBE add updatevm-sys-cacher
qvm-features QUBE service.updates-proxy-setup 1
sudo qubesctl --skip-dom0 --targets=QUBE state.apply sys-cacher.install-client

Don't forget to restart the qube.

If you don't want or can't restart the qube, such as DispVMs, where you would lose the current session:

qvm-tags QUBE add updatevm-sys-cacher
qvm-features QUBE service.updates-proxy-setup 1
sudo qubesctl --skip-dom0 --targets=QUBE state.apply sys-cacher.install-client
qvm-run --user=root QUBE -- "
touch /var/run/qubes-service/updates-proxy-setup
/usr/bin/apt-cacher-ng-repo
systemctl restart qubes-updates-proxy-forwarder.socket"

Uninstallation

  • Top:
sudo qubesctl top.enable sys-cacher.deinit
sudo qubesctl --targets="$(qvm-ls --no-spinner --raw-list --tags updatevm-sys-cacher | tr "\n" ",")" state.apply
sudo qubesctl top.disable sys-cacher.deinit
sudo qubesctl state.apply sys-cacher.untag
  • State:
sudo qubesctl state.apply sys-cacher.remove-policy
sudo qubesctl --skip-dom0 --targets="$(qvm-ls --no-spinner --raw-list --tags updatevm-sys-cacher | tr "\n" ",")" state.apply sys-cacher.uninstall-client
sudo qubesctl state.apply sys-cacher.untag

If you want to use the standard proxy for a few qubes, only uninstall it from the templates that you don't want to cache packages:

sudo qubesctl --skip-dom0 --targets=QUBE state.apply sys-cacher.uninstall-client
qvm-tags QUBE del updatevm-sys-cacher

If you tagged manually a qube that is unsupported, updates for that qube will fail. Get a full list of unsupported qubes (warning: there may be false positives of supported qubes being listed):

sudo qubesctl --show-output state.apply sys-cacher.list-extra-tag

Credits