Add Fedora 31 template upgrade instructions #45
Conversation
| Why do I need to upgrade? | ||
| ------------------------- | ||
|
|
||
| SecureDrop Workstation makes use of the Fedora-based ``work`` and ``vault`` VMs, which are part of a Qubes installation by default. In Qubes 4.0.3, these VMs are based on a Fedora 30 template. |
There was a problem hiding this comment.
The statements about the VMs listed here is accurate, but incomplete. Recommend changing from
SecureDrop Workstation makes use of the Fedora-based
workandvaultVMs, which are part of a Qubes installation by default
to
SecureDrop Workstation makes use of the Fedora-based VMs which are part of a Qubes installation by default, including,
work,vault,sys-net,sys-firewall, andsys-usb.
The rephrase is something of a mouthful, so feel free to play with the language!
| SecureDrop Workstation makes use of the Fedora-based ``work`` and ``vault`` VMs, which are part of a Qubes installation by default. In Qubes 4.0.3, these VMs are based on a Fedora 30 template. | ||
|
|
||
| As of June 2020, Fedora 30 templates will be end-of-life. If you are provisioning SecureDrop Workstation for the first time, you will need to update your Fedora template manually from Fedora 31 *before* installing SecureDrop Workstation. | ||
|
|
There was a problem hiding this comment.
As of June 2020
Technically the EOL date for F30 was 2020-05-26, but no complaints about the generalization here, keep it. Worth linking out to https://fedoraproject.org/wiki/End_of_life in the first sentence. Also, s/will be/are/ simply to future-proof the language.
|
|
||
| As of June 2020, Fedora 30 templates will be end-of-life. If you are provisioning SecureDrop Workstation for the first time, you will need to update your Fedora template manually from Fedora 31 *before* installing SecureDrop Workstation. | ||
|
|
||
| If you are an existing SecureDrop Workstation user, you should also upgrade to a Fedora 31 template. |
There was a problem hiding this comment.
Existing SecureDrop Workstation users will be automatically upgraded to F31, at least on the sys-* VMs. Admittedly the work & vault VMs will still be out of date. So, you're right to recommend manual action here—perhaps with some reference to the fact that the service VMs were updated automatically.
Eventually, we'll likely mandate the update across the board via unattended-upgrades, but more discussion required.
| Update the Fedora-31 template | ||
| ----------------------------- | ||
|
|
||
| Once the template is installed, update it using the Qubes updater (**System Tools > Qubes Update**). |
There was a problem hiding this comment.
By default the VM won't show updates available (since it hasn't been booted yet, so the update-checker service hasn't run), so it's worth pointing out that one must force updates by checking the "Enable updates for qubes without known available updates" box, same as we do in the install guide. (Effectively, folks will have to run the GUI updater twice during first-install, which is a shame, but definitely the safest option.)
There was a problem hiding this comment.
Recommending slight tweaks to the guiding language. Process-wise, try the template manager tool, and see if you agree it's a better fit to document!
Have recommended using the Qube Manager to make template changes in 252c1e1, as well as addressed all your other comments (thumbs'd up). Thank you for the review!
|
|
||
| VMs not managed by SecureDrop Workstation must be manually configured in order to use the Fedora 31 template. | ||
|
|
||
| It is most important to update the ``work`` and ``vault`` VMs to Fedora 31; however, you may also choose to update ``sys-net``, ``sys-usb``, and ``sys-firewall``. |
There was a problem hiding this comment.
Subject to disagreement, but I'd say it's more critical to update the sys-* VMs, since some of those are network-aware. Recommend moving the "most important" language and listing them the five (5) out explicitly.
There was a problem hiding this comment.
Sounds good; I was basing that on freedomofpress/securedrop-workstation#544 (comment), but I realize that that hierarchy only applies to existing workstation users and have fixed in 252c1e1. Thanks for catching!
| @@ -0,0 +1 @@ | |||
| If you are part of the SecureDrop Workstation Pilot and you have questions about this process or about any other aspect of SecureDrop Workstation, please reach out to us. | |||
There was a problem hiding this comment.
Three cheers for reusable includes! 👌
There was a problem hiding this comment.
Changes look great, thanks @rocodes!
In a future docs PR (Fedora templates change about every six months), let's consider recommending Qubes Application Menu -> System Tools -> Qubes Template Manager. Even if we end up automating the Fedora transition for existing Workstations, first-time installs will frequently need a manual update to get started.
conorsch
force-pushed
the
fedora-31-upgrade
branch
from
252c1e1 to
fd3de7e
Compare
|
Rebased to unblock merge |
Instructions based roughly on freedomofpress/securedrop-workstation#544 (comment)
Tagging @conorsch for review as per this morning's standup!