Use socks5 proxy on Whonix Gateway to fix onion urls resolution

[marmarek]

When sys-whonix is used as updatevm, with repositories set to onion
addresses, DNF (or rather curl) refuse to resolve the addresses, even
though it is talking to Tor. See
curl/curl#11125

Fix this by setting socks proxy explicitly. Use socks5h:// protocol to
really delegate hostname resolution to the server.
Do the same in qvm-template-repo-query (qubes.TemplateSearch and
qubes.TemplateDownload services), as they also use dnf and curl.

QubesOS/qubes-issues#10253

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.10%. Comparing base (05f2ea1) to head (2e68781).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #614   +/-   ##
=======================================
  Coverage   71.10%   71.10%           
=======================================
  Files           3        3           
  Lines         481      481           
=======================================
  Hits          342      342           
  Misses        139      139           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[qubesos-bot]

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025102308-4.3-whonix&flavor=templates

Test run included the following:

• Use socks5 proxy on Whonix Gateway to fix onion urls resolution #614 (2e68781)

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025081011-4.3&flavor=update

• system_tests_basic_vm_qrexec_gui

  • TC_20_NonAudio_whonix-workstation-18: test_300_bug_1028_gui_memory_pinning (failure)
    AssertionError: b'Stage3' not found in b'' : b'2025-10-23 06:49:44....

• system_tests_extra

  • TC_00_QVCTest_whonix-workstation-18: test_010_screenshare (failure)
    AssertionError: 1 != 0 : Timeout waiting for /dev/video0 in test-in...

  • TC_00_QVCTest_whonix-gateway-18: test_010_screenshare (failure)
    AssertionError: 1 != 0 : Timeout waiting for /dev/video0 in test-in...

• system_tests_audio

  • TC_20_AudioVM_Pulse_whonix-workstation-18: test_252_audio_playback_audiovm_switch_hvm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

• system_tests_guivm_gui_interactive

  • guivm_startup: Failed (test died)
    # Test died: command 'echo 'userpass' | qvm-run --nogui -p -u root ...

Failed tests

5 failures

• system_tests_basic_vm_qrexec_gui

  • TC_20_NonAudio_whonix-workstation-18: test_300_bug_1028_gui_memory_pinning (failure)
    AssertionError: b'Stage3' not found in b'' : b'2025-10-23 06:49:44....

• system_tests_extra

  • TC_00_QVCTest_whonix-workstation-18: test_010_screenshare (failure)
    AssertionError: 1 != 0 : Timeout waiting for /dev/video0 in test-in...

  • TC_00_QVCTest_whonix-gateway-18: test_010_screenshare (failure)
    AssertionError: 1 != 0 : Timeout waiting for /dev/video0 in test-in...

• system_tests_audio

  • TC_20_AudioVM_Pulse_whonix-workstation-18: test_252_audio_playback_audiovm_switch_hvm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

• system_tests_guivm_gui_interactive

  • guivm_startup: Failed (test died)
    # Test died: command 'echo 'userpass' | qvm-run --nogui -p -u root ...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/149225#dependencies

5 fixed

• system_tests_extra

  • TC_00_QVCTest_whonix-workstation-17: test_010_screenshare (failure)
    AssertionError: 1 != 0 : Timeout waiting for /dev/video0 in test-in...

• system_tests_audio

  • TC_20_AudioVM_Pulse_whonix-workstation-17: test_223_audio_play_hvm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

  • TC_20_AudioVM_Pulse_whonix-workstation-17: test_224_audio_rec_muted_hvm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

  • TC_20_AudioVM_Pulse_whonix-workstation-17: test_225_audio_rec_unmuted_hvm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

  • TC_20_AudioVM_Pulse_whonix-workstation-17: test_252_audio_playback_audiovm_switch_hvm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

Unstable tests

Performance Tests

Performance degradation:

No issues

Remaining performance tests:

No remaining performance tests

[ArrayBolt3]

I know there was a discussion on Matrix about this, but after looking at the code and talking with Patrick, I'm slightly confused; Whonix-Gateway 18 has a curl wrapper that should set up the proxy properly already, so I would expect the bare curl command to just work. As for why this doesn't work with dnf, I'm not sure; does dnf use libcurl or similar? Or does this not run in the gateway? If this works, great, I just don't understand why our wrapper is being bypassed by dnf.

[marmarek]

Whonix-Gateway 18 has a curl wrapper that should set up the proxy properly already

Yes, I think curl options are not really necessary.

As for why this doesn't work with dnf, I'm not sure; does dnf use libcurl or similar?

Yes, it uses libcurl.