Batch updating TemplateVMs in Qubes 3.0

If you are a Qubes user like me, you probably have a number of TemplateVMs which your App/USB/ProxyVMs are based off of (e.g, you aren't using the same template for all VMs, as you would otherwise develop a fair bit of irrelevant bloat across them all).

If so, you've probably discovered that keeping all those templates up to date with security updates is rather cumbersome when doing so manually.

I wrote a simple shell script which can be executed from dom0 (I placed it at /usr/local/bin/qubes-template-update). It loops over all the templates, detects whether the template is Fedora or Debian, and checks for or applies updates accordingly.

# Script to update template images in a big batch

# Get a list of templates
TEMPLATES=$(qvm-ls | grep Tpl | awk {'print $1'} |cut -d[ -f2 | cut -d] -f1)

cat << EOF
usage: $0

This script will power up template images and run software
updates on them.

Currently only Fedora and Debian-based templates are supported.

Whonix templates, although Debian-based, are not supported,
because there is the chance that Tor is not connected yet.

# Parse arguments
while getopts ":h" OPTION
  case $OPTION in
      exit 1

for template in ${TEMPLATES[@]}; do
  echo "Attempting to run updates on $template"
  if [[ $template == *"whonix"* ]]; then
    echo "Don't run Whonix updates with this script, because Tor may not be connected. Run them manually after whonixcheck completes"
    # Attempt to detect whether this is a Debian system
   qvm-run -u root -a --nogui -p $template "test -f /etc/debian_version"
    if [ $? -eq 0 ]; then
      # Debian
     qvm-run -u root -a --nogui -p $template "apt-get update; DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade; apt-get clean"
      # Fedora
     qvm-run -u root -a --nogui -p $template "yum -y update; yum clean all"
    qvm-shutdown $template

It is known to work fine in Qubes 3.0. I know that in 3.1, the Salt stack has been introduced, which might make this script obsolete. However, while 3.0 is stable, you may be reluctant to upgrade, and if so, feel free to use this.

Note that the script stubbornly refuses to perform updates on Whonix templates, because there is the chance that your Tor is not yet connected when the apt-get commands start to run. I recommend running the Whonix updates manually, starting with the gateway template, then shutting down the live gateway, restarting it, and then applying same updates on the workstation template.

Hope it's of use to you!