#!/bin/bash quote_args() { local quoted_args="" for arg in "${@}"; do quoted_args="${quoted_args} \"${arg}\"" done echo "${quoted_args}" } find_regex_in_args() { local regex="${1}" shift 1 for arg in "${@}"; do if echo "${arg}" | grep -q -e "${regex}"; then return 0 fi done return 1 } UPDATEVM=`qubes-prefs --force-root updatevm` UPDATES_STAT_FILE=/var/lib/qubes/updates/dom0-updates-available if [ -z "$UPDATEVM" ]; then echo "UpdateVM not set, exiting" exit 1 fi if [ "$1" = "--help" ]; then echo "This tool is used to download packages for dom0. Without package list" echo "it checks for updates for installed packages" echo "" echo "Usage: $0 [--clean] [--check-only] [--gui] [<pkg list>]" echo " --clean clean dnf cache before doing anything" echo " --check-only only check for updates (no install)" echo " --gui use gpk-update-viewer for update selection" echo " --action=... use specific dnf action, instead of automatic install/update" echo " <pkg list> download (and install if run by root) new packages" echo " in dom0 instead of updating" exit fi PKGS=() YUM_OPTS=() GUI= CHECK_ONLY= ALL_OPTS=( "${@}" ) YUM_ACTION= QVMRUN_OPTS= CLEAN= TEMPLATE= TEMPLATE_BACKUP= # Filter out some dnf options and collect packages list while [ $# -gt 0 ]; do case "$1" in --enablerepo=*|\ --disablerepo=*) ;; --clean) CLEAN=1 ;; --gui) GUI=1 ;; --check-only) CHECK_ONLY=1 ;; --action=*) YUM_ACTION=${1#--action=} ;; -*) YUM_OPTS+=( "${1}" ) ;; *) PKGS+=( "${1}" ) if [ -z "$YUM_ACTION" ]; then YUM_ACTION=install fi ;; esac shift done # Prevent implicit update of template - this would override user changes - # but do allow explicit template upgrade, downgrade, reinstall if [ "$YUM_ACTION" == "reinstall" ] || [ "$YUM_ACTION" == "upgrade" ] || [ "$YUM_ACTION" == "upgrade-to" ] \ || [ "$YUM_ACTION" == "downgrade" ] && find_regex_in_args '^qubes-template-' "${PKGS[@]}"; then TEMPLATE_EXCLUDE_OPTS=() echo "WARNING: Replacing a template will erase all files in template's /home and /rw !" # At least one package name matches the regex '^qubes-template-', # so if there is only one package name in the array, then the # code can safely assume that the array includes only a template # package name. if [[ ${#PKGS[@]} -eq 1 ]]; then ONEPKG="$(echo "${PKGS[0]}" | sed -r 's/-[0-9]+(\.[0-9-]+)+(\.noarch)*$//')" # Remove version suffix TEMPLATE=${ONEPKG#qubes-template-} # Remove prefix if qvm-shutdown --wait $TEMPLATE ; then echo "Template VM halted" fi # Try to avoid unrecoverable failures when operating on the template of # the UpdateVM by making a backup first. UPDATEVM_TEMPLATE=$(qvm-prefs -- "$UPDATEVM" template 2>/dev/null) if [ X"$UPDATEVM_TEMPLATE" = X"$TEMPLATE" ]; then TEMPLATE_BACKUP="${TEMPLATE}-backup-$(date +%Y%m%d)-$(mktemp -u XXXX)" TEMPLATE_BACKUP=${TEMPLATE_BACKUP:0:31} echo "Attempting to operate on template of UpdateVM... backing up $TEMPLATE to $TEMPLATE_BACKUP" if ! qvm-clone -- "$TEMPLATE" "$TEMPLATE_BACKUP"; then echo "ERROR: Unable to make backup of UpdateVM template!" >&2 exit 1 fi fi else echo "ERROR: Specify only one package to reinstall template" exit 1 fi elif [ "$YUM_ACTION" == "search" ] || [ "$YUM_ACTION" == "info" ]; then # No need to shutdown for search/info TEMPLATE_EXCLUDE_OPTS=() else TEMPLATE_EXCLUDE_OPTS=( "--exclude=$(rpm -qa --qf '%{NAME},' qubes-template-\*|head -c -1)" ) fi YUM_OPTS=( "${TEMPLATE_EXCLUDE_OPTS[@]}" "${YUM_OPTS[@]}" ) ALL_OPTS=( "${TEMPLATE_EXCLUDE_OPTS[@]}" "${ALL_OPTS[@]}" ) ID=$(id -ur) if [ $ID != 0 -a -z "$GUI" -a -z "$CHECK_ONLY" ] ; then echo "This script should be run as root (when used in console mode), use sudo." >&2 exit 1 fi if [ "$GUI" == "1" -a ${#PKGS[@]} -ne 0 ]; then echo "ERROR: GUI mode can be used only for updates" >&2 exit 1 fi if [ "$GUI" == "1" ]; then apps="xterm konsole yumex apper gpk-update-viewer" if [ -n "$KDE_FULL_SESSION" ]; then apps="konsole xterm apper yumex gpk-update-viewer" fi guiapp= for app in $apps; do if type $app &>/dev/null; then guiapp=$app case $guiapp in apper) guiapp="apper --updates --nofork" ;; xterm) guiapp="xterm -e sudo dnf update" ;; konsole) guiapp="konsole --hold -e sudo dnf update" ;; *) guiapp=$app ;; esac break; fi done if [ -z "$guiapp" ]; then message1="You don't have any supported dnf frontend installed." message2="Install (using qubes-dom0-update) one of: $apps" if [ "$KDE_FULL_SESSION" ]; then kdialog --sorry "$message1<br/>$message2" else zenity --error --text "$message1\n$message2" fi exit 1 fi fi if [ "$GUI" != "1" ]; then QVMRUN_OPTS=--nogui fi # Do not start VM automatically when running from cron (only checking for updates) if [ "$CHECK_ONLY" == "1" ] && ! qvm-check -q --running $UPDATEVM > /dev/null 2>&1; then echo "ERROR: UpdateVM not running, not starting it in non-interactive mode" >&2 exit 1 fi if [ -n "$CLEAN" ]; then rm -f /var/lib/qubes/updates/rpm/* rm -f /var/lib/qubes/updates/repodata/* fi rm -f /var/lib/qubes/updates/errors echo "Using $UPDATEVM as UpdateVM to download updates for Dom0; this may take some time..." >&2 # qvm-run by default auto-starts the VM if not running qvm-run --nogui -q -u root $UPDATEVM 'mkdir -m 775 -p /var/lib/qubes/dom0-updates/' || exit 1 qvm-run --nogui -q -u root $UPDATEVM 'chown user:user /var/lib/qubes/dom0-updates/' || exit 1 qvm-run --nogui -q $UPDATEVM 'rm -rf /var/lib/qubes/dom0-updates/etc' || exit 1 tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf /etc/dnf/dnf.conf 2>/dev/null | \ qvm-run --nogui -q --pass-io "$UPDATEVM" 'LC_MESSAGES=C tar x -C /var/lib/qubes/dom0-updates 2>&1 | grep -v -E "s in the future"' qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "script --quiet --return --command '/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $(quote_args "${ALL_OPTS[@]}")' /dev/null" RETCODE=$? if [ "$CHECK_ONLY" == "1" ]; then exit $RETCODE elif [ "$RETCODE" -ne 0 ]; then exit $RETCODE fi # Wait for download completed while pidof -x qubes-receive-updates >/dev/null; do sleep 0.5; done if [ -r /var/lib/qubes/updates/errors ]; then echo "*** ERROR while receiving updates:" >&2 cat /var/lib/qubes/updates/errors >&2 echo "--> if you want to use packages that were downloaded correctly, use dnf directly now" >&2 exit 1 fi if [ -z "$YUM_ACTION" ]; then YUM_ACTION=upgrade fi if [ ${#PKGS[@]} -gt 0 ]; then if [ -n "$TEMPLATE" ]; then TEMPLATE_NETVM=$(qvm-prefs --force-root $TEMPLATE netvm) fi dnf "${YUM_OPTS[@]}" $YUM_ACTION "${PKGS[@]}" ; RETCODE=$? if [ -n "$TEMPLATE_BACKUP" -a "$RETCODE" -eq 0 ]; then # Remove backup, if we made one. Better to do this only on success and # potentially leave extra backups around than do it on an exit trap and # clean up more reliably but potentially brick a system. qvm-remove -f -- "$TEMPLATE_BACKUP" fi if [ -n "$TEMPLATE" -a -n "$TEMPLATE_NETVM" -a x"$TEMPLATE_NETVM" != xNone ]; then if ! qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM; then echo "ERROR: NetVM setting could not be restored!" >&2 exit 1 fi fi elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then # Above file exists only when at least one package was downloaded if [ "$GUI" == "1" ]; then # refresh packagekit metadata, GUI utilities use it pkcon refresh force $guiapp else dnf check-update if [ $? -eq 100 ]; then # Run dnf with options dnf "${YUM_OPTS[@]}" $YUM_ACTION fi fi dnf -q check-update && qvm-features dom0 updates-available '' else qvm-features dom0 updates-available '' echo "No updates available" >&2 if [ "$GUI" == "1" ]; then zenity --info --title='Dom0 updates' --text='No updates available' fi fi