Salt: `qubesctl state.highstate` tries to update fedora-41-xfce every run (performance impact)

[deeplow]

• I have searched for duplicates or related issues

Description

I have found the culprit for slow dom0 provisioning: qubes-vm-update for the fedora template, regardless of whether or not it actually installed fedora-41-xfce.

Here's the output of sudo qubesctl state.highstate --show-output --out=profile:

    ---------------------------------------------------------------------------------------------------------
    |                             name                             |        mod.fun         | duration (ms) |
    ---------------------------------------------------------------------------------------------------------
    |               /var/lib/securedrop-workstation/               |     file.directory     |        1.1070 |
    ---------------------------------------------------------------------------------------------------------


[...]

    ---------------------------------------------------------------------------------------------------------
    |                          sd-viewer                           |         qvm.vm         |     2176.6500 |
    ---------------------------------------------------------------------------------------------------------
    |                           sd-proxy                           |         qvm.vm         |     2628.1340 |
    ---------------------------------------------------------------------------------------------------------
    |       qubes-vm-update --quiet --force-update --targets       |        cmd.wait        |    25491.4520 |
    ---------------------------------------------------------------------------------------------------------

I had found suspicious why fedora-41-xfce was always updating, but assumed that was intended behavior. It turns out that the code did try to catch it via the watch salt directive. Sadly, that does not work for the cmd.wait.

Originally posted by @deeplow in #1244

I should also note that this mostly affects development since dom0 provisioning is done various times. On a production system dom0 reprovisioning is a rare event.

Steps to Reproduce

1. run sudo qubesctl state.highstate --show-output --out=profile
2. confirm qubes-vm-update executed and is the highest performance hit
3. repeat 1. and 2. once again to confirm this happens every time

Expected Behavior

Two mutually exclusive behaviors:

• run state update-fedora-template-if-new only when new fedora template installed
• drop update-fedora-template-if-new entirely and instead rely on updater to ensure update is performed before the system can be started.

Actual Behavior

Updater runs every time.

Comments

Suggestions to fix, any other relevant information.