{{Header}}
{{Title|title=
Reinstall {{q_project_name_long}} Templates
}}
{{#seo:
|description=How to Reinstall {{q_project_name_short}} Templates
|image=Qubesreinstall123123.png
}}
{{qubes_mininav}}
[[File:Qubesreinstall123123.png|250px|thumb]]
{{intro|
How to Reinstall {{q_project_name_short}} Templates
}}

= Introduction =

On occasion, it is necessary to reinstall a {{project_name_long}} template from the Qubes repository. <ref>https://www.qubes-os.org/doc/how-to-reinstall-a-template/</ref>

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = <u>Note</u>:

* If {{q_project_name_short}} 16 is installed and you want to get {{q_project_name_short}} 17, it is unnecessary to follow the instructions on this page. Refer to the [[Qubes/Install|Install {{q_project_name_short}}]] instructions instead, since this is easier.
* If {{q_project_name_short}} 17 is installed and you want to get {{q_project_name_short}} 18, it is unnecessary to follow the instructions on this page. Refer to the [[Qubes/Install|Install {{q_project_name_short}}]] instructions instead, since this is easier.

<ref>
This is because the names of the Templates changed from:

* <code>whonix-gw-16</code> to <code>whonix-gateway-17</code>
* <code>whonix-workstation-16</code> to <code>whonix-workstation-17</code>
</ref>
}}

This chapter usually applies when the Template is:

* <u>Outdated</u>: To upgrade to a newer [[Point Release]] or a testers-only version of {{project_name_short}}.
* <u>Broken</u>: Templates can become broken and/or unbootable for a number of reasons, such as when [[Debian_Packages#Packages_FAQ|removing meta-packages]] that {{project_name_short}} "depends" on to function properly, or after {{kicksecure_wiki
|wikipage=Install_Software#Install_from_Debian_Testing
|text=mixing packages
}} from a later Debian release.
* <u>Misconfigured</u>: Not all Template modifications are easily reversible. In some cases, it may be necessary to reinstall the Template.
* <u>Compromised</u>: Users may suspect their Template has been compromised. For further information on this topic, see [[Malware and Firmware Trojans#Valid_Compromise_Indicators_versus_Invalid_Compromise_Indicators|Indicators of Compromise]].
* <u>Testing</u>: To ensure high quality of future {{project_name_short}} releases by becoming a {{project_name_short}} tester.

== Warning ==

{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    =
If the {{project_name_short}} Template is broken, misconfigured, or potentially compromised, discontinue using any App Qubes based on the affected Template.
}}

The reason is that any App Qubes based on the affected Template will inherit the same issues. Disregarding this advice could lead to serious consequences. For example, a core component of the {{project_name_short}} security model depends on <code>{{project_name_gateway_vm}}</code> to force all traffic through Tor or block it. If <code>{{project_name_gateway_vm}}</code> is based on a Template with a misconfigured or broken firewall, the {{project_name_short}} security model would be broken. <ref>[[Dev/Technical_Introduction#With_more_technical_terms|Technical Introduction: With more technical terms]]</ref>

== Reinstallation Methods ==

Qubes has its own [https://www.qubes-os.org/doc/how-to-reinstall-a-template/ template reinstallation guide]; however, this {{project_name_short}} wiki entry should be preferred when reinstalling [[Qubes|{{q_project_name_short}}]] Templates. The reason is that this guide is Whonix-specific and contains instructions on how to properly configure all settings. <ref>
Using salt.
</ref>

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = <u>Note</u>: The root file system of the affected Template will be lost during the reinstallation process. It is recommended that you create a backup of any important files first.
}}

Use <u>one</u> of the following methods:

* '''A)''' [[Qubes/Uninstall|Uninstall {{q_project_name_short}}]] and then [[Qubes/Install|Install {{q_project_name_short}}]]; <u>OR</u>
* '''B)''' Follow the [[#Reinstall the {{project_name_short}} template|Reinstall the {{project_name_short}} template]] instructions below.

= Reinstall the {{project_name_short}} template =

== UpdateVM Setting ==

Since only Fedora-based UpdateVMs support the <code>--action=upgrade</code> option for reinstalling the Template, it is recommended that you create a dedicated Qubes <code>dom0</code> UpdateVM based on Qubes' Fedora template. Forcing <code>dom0</code> updates over Tor is still possible by setting <code>{{project_name_gateway_vm}}</code> as the NetVM for the UpdateVM. <ref>
* <code>sys-net</code> &rarr; <code>sys-firewall</code> &rarr; <code>{{project_name_gateway_vm}}</code> &rarr; <code>UpdateVM</code>
* <code>UpdateVM</code> &rarr; <code>{{project_name_gateway_vm}}</code> &rarr; <code>sys-firewall</code> &rarr; <code>sys-net</code>
</ref>

{{Box|text=
'''1.''' Create a new VM named <code>dom0-updatevm</code>.

<code>Qubes VM Manager</code> &rarr; <code>VM</code> &rarr; <code>Create App Qube</code>

* <u>Name and label:</u> Name the App Qube. Do not include any personal information (if the App Qube is compromised, the attacker could run <code>qubesdb-read /name</code> to reveal the VM name). Name the App Qube something generic, for example: <code>dom0-updatevm</code>.
* <u>Color:</u> Choose a color label for the UpdateVM.
* <u>Use this template:</u> Choose the <u>Fedora</u>-based Template. For example: <code>fedora-42</code>. (There may be a higher version number than <code>34</code> available than there was at time time of writing.)
* <u>Standalone:</u> Leave the Standalone field unchecked.
* <u>Type:</u> Choose the type <code>App Qube</code>.
* <u>Allow networking:</u> Choose the desired NetVM from the list. For example: <code>{{project_name_gateway_vm}}</code>.
* <u>Press:</u> <code>OK</code>.

'''2.''' Configure the NetVM setting of <code>dom0-updatevm</code>.

* <u>'''Option A, clearnet updates:'''</u> If non-torified, clearnet Qubes <code>dom0</code> updates are preferred, then set the NetVM of <code>dom0-updatevm</code>, for example, to <code>sys-firewall</code>.

<code>Qube Manager</code> &rarr; <code>dom0-updatevm</code> &rarr; <code>Qube s<u>e</u>ttings</code> &rarr; <code>Networking: sys-firewall</code> &rarr; <code>OK</code>
<ref>
{{CodeSelect|code=
qvm-prefs updatevm-name netvm {{project_name_gateway_vm}}
}}
</ref>

* <u>'''Option B, torified updates:'''</u> If torified Qubes <code>dom0</code> updates are preferred, then set the NetVM of <code>dom0-updatevm</code> to {{project_name_gateway_long}}.

<code>Qube Manager</code> &rarr; <code>dom0-updatevm</code> &rarr; <code>Qube s<u>e</u>ttings</code> &rarr; <code>Networking: {{project_name_gateway_vm}}</code> &rarr; <code>OK</code>
<ref>
{{CodeSelect|code=
qvm-prefs updatevm-name netvm {{project_name_gateway_vm}}
}}
</ref>

'''3.''' The process of configuring the UpdateVM is now complete.

<ref>
If the <code>dom0</code> UpdateVM is based on a Template that is broken or no longer trusted (the Template is broken, misconfigured, or compromised), an alternate UpdateVM can be used temporarily. In other words, more specifically, if the {{project_name_gateway_short}} Template (<code>{{project_name_gateway_template}}</code>) and/or its {{project_name_gateway_short}} ProxyVM (<code>{{project_name_gateway_vm}}</code>) are no longer trusted, then configure Qubes <code>dom0</code> to use a different UpdateVM by applying the following steps.

TODO
</ref>
}}

== Update dom0 ==
{{Qubes_upgrade_dom0}}

== Configure salt using Qubes dom0 Community Testing Repository ==
{{Qubes_testing}}

== Reinstall ==

In the instructions below, a check is first made for a newer version of the Template.

* <u>Upgrade if available:</u> If a newer Template version exists, install it (<code>upgrade</code>).
* <u>Reinstall if not:</u> If no newer Template version is available, reinstall the existing version (<code>reinstall</code>).

Unfortunately, there is no combined upgrade and reinstall command. <ref>
[https://github.com/QubesOS/qubes-issues/issues/4518 qubes-dom0-update combined upgrade reinstall command]
</ref>

{{Box|text=
'''1.''' {{Qubes_Terminal}}

'''2.''' Try to <u>upgrade</u> the Template.

* <u>Requirement:</u> This will only work if a new [[Point Release]] of the Template is available.
* <u>Template choice:</u> Replace <code>qubes-template-package</code> with either <code>qubes-template-whonix-workstation-{{VersionShort}}</code> or <code>qubes-template-whonix-gateway-{{VersionShort}}</code>.
* <u>Testers:</u> Replace <code>--enablerepo=qubes-templates-community</code> with <code>--enablerepo=qubes-templates-community-testing</code> if you are a tester.

<pre>
qvm-template --enablerepo=qubes-templates-community upgrade <qubes-template-package>
</pre>

For example, to upgrade the <code>whonix-gateway-{{VersionShort}}</code> Template:

{{CodeSelect|code=
qvm-template --enablerepo=qubes-templates-community upgrade whonix-gateway-{{VersionShort}}
}}

For example, to upgrade the <code>whonix-workstation-{{VersionShort}}</code> Template:

{{CodeSelect|code=
qvm-template --enablerepo=qubes-templates-community upgrade whonix-workstation-{{VersionShort}}
}}

'''3.''' Check the command output. The following results are possible:

* <u>Template was successfully upgraded:</u> No further action required. Skip step four.
* <u>No upgrade available:</u> The Template is already the latest version. Proceed to step four to force a reinstall.
* <u>Upgrade unsupported or failed:</u> This may occur if your UpdateVM is not Fedora-based. Refer to [[Qubes/Reinstall#UpdateVM_Setting|UpdateVM Setting]].
* <u>Unexpected error:</u> Could be caused by networking issues or repository problems. Investigate and retry as necessary.

'''4.''' ''Optional:'' Reinstall the Template.

* <u>When to reinstall:</u> If step two did not reinstall the Template (i.e. no new Point Release), you may force a reinstall here.
* <u>Safety:</u> Safe to run even if the Template is already up-to-date. It will simply be reinstalled.

<pre>
qvm-template --enablerepo=qubes-templates-community reinstall <qubes-template-package>
</pre>

For example, to reinstall the <code>whonix-gateway-{{VersionShort}}</code> Template:

{{CodeSelect|code=
qvm-template --enablerepo=qubes-templates-community reinstall qubes-template-whonix-gateway-{{VersionShort}}
}}

For example, to reinstall the <code>whonix-workstation-{{VersionShort}}</code> Template:

{{CodeSelect|code=
qvm-template --enablerepo=qubes-templates-community reinstall qubes-template-whonix-workstation-{{VersionShort}}
}}

* <u>Template reinstalled successfully:</u> Reinstallation completed without issues.
* <u>Error during reinstall:</u> Likely caused by connectivity problems or misconfiguration. Review the error message and retry.
}}

== Settings ==

{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    = This step is mandatory. <ref>
[https://github.com/QubesOS/qubes-issues/issues/3447 phase out manual use of qubes-dom0-update by user / replace it by salt]
</ref>
}}

Use <code>salt</code> to configure <code>dom0</code> settings. <ref>
[[Dev/Qubes#salt]]
</ref>

{{CodeSelect|code=
sudo qubesctl state.sls qvm.{{project_name_workstation_vm}}
}}

= Optional Steps =

== {{project_name_short}} Disposable Template ==

{{Qubes_Install_DVM}}

== Updates over Tor ==

{{Qubes Install Updates over Tor}}

== Enable AppArmor ==
{{Qubes_AppArmor}}

= Final Steps =

== Restart App Qubes ==

Any VMs based on the reinstalled Template must be restarted to reflect the updated file system.

== Update and Launch Applications ==

{{Qubes Install Update and Launch Applications}}

== Done ==

The process of reinstalling {{q_project_name_short}} Templates is now complete.

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]