Whonix on Gentoo issues

I’m relatively new VM but I have carefully followed the tutorial at:
wiki KVM (only 5 links in the post new users can put, says the notification,
this one removed, and this is now 4, so wrong counting, I think)

But I have failed to get even the Whonix-Gateway started.
I have opened a bug:
https://bugs.freedesktop.org/show_bug.cgi?id=98779
where I described what happened.

Looking a little back (I really can’t work very fast at all, so pls. be
patience i you will need my replies to your advice [*] ), I can see that in
the XML there is qxl driver which is needed, and which wasn’t installed in my
Gentoo, and yet there wasn’t any notifications about it… It’s likely the:

x11-drivers/xf86-video-qxl

package that is needed.

Also, my video is poor, I had to set the accel2d and accel3d to no in the XML… (and it’s very hard posting on an 800x600 monitor display in a fraction of the screen only…)

Also I had, and still have, hard time figuring how to debug (which is what
devs at freedesktop need(ed)):
https://bugs.freedesktop.org/show_bug.cgi?id=98779#c3

I see:
https://www.spice-space.org/spice-user-manual.html#_debugging

and it’s likely that I will need to edit XML for that…

I also see:

and I don’t know what the Gentoo equivalent is for, quoting:
…Red Hat Enterprise Linux (with debuginfo-install libvirt) prior to running gdb.

I hope the post is allowed, then I may re-edit it to improve its formatting. In slow time… Hmmh, posted, but not much change needed…

[*]
To be honest, I it may even come to pass that I temporarily abandon my
attempts, so hard it has been that I struggle to find the time.

Hi Miroslav. (I think I saw you on grsec forums?) Thanks for reporting this upstream. Its likely you ran into it before any of us because Gentoo has bleeding egde packages.

accel2d and accel3d

I changed these settings in the XML settings and should be available next release.

(and it’s very hard posting on an 800x600 monitor display in a fraction of the screen only…)

Yes that too is a bug but in KDE it turns out. We’ve reported it upstream and its been reproduced and fixed. Expect the patch to be backported to KDE 5.8.4 in the future.

and I don’t know what the Gentoo equivalent is for

The bug tracker categories are confusing indeed. Just try opening the tickets with an approximation of the affected component and let upstream sort it out.

Yes, I have posted a lot on grsec (I try wrestling with issues, and if I figure something out, I like telling people, but I’m often not very good at it…).
But I don’t recall any username like yours there …

[quote=“HulaHoop, post:2, topic:3188, full:true”]Thanks for reporting this upstream.
Its likely you ran into it before any of us because Gentoo has bleeding egde packages.
[/quote]
I’ll try and do what I can… Often I’m too slow to do much…

[quote=“HulaHoop, post:2, topic:3188, full:true”]accel2d and accel3d

I changed these settings in the XML settings and should be available next release.
[/quote]
It’s great to know!

I guess you mean KDE of your server’s Linux.

[quote=“HulaHoop, post:2, topic:3188, full:true”]We’ve reported it upstream and its been reproduced and fixed. Expect the patch to be backported to KDE 5.8.4 in the future.
[/quote]
And there’s more. I’m passionate about my (primitive) little programs, in this instance I used:
https://github.com/miroR/uncenz…
So I think I’ll be able to show how the entire content that I was editing disappeared when I hit Esc (which is just a normal key that should not do that, I think…
However, I was able to recover it in two ways:
with my tshark-streams.sh, also on my github space…
And by reopening this page, but no! It vanished from the instance of the page that was opened, and in which I was typing my content…
It couldn’t be recovered from it! (And so I went the recovering from the SSL streams way… and only by chance tried once more reopening the same page --so not using the same instance of the page-- and there my entire content was…
It will be clear when I, if God wills, manage to post the network trace and the screencast at, deciding on the address right now (does not exist yet):
http://www.croatiafidelis.hr/foss/cap/cap-161124-whonix/
In a while…
EDIT: exosts now, but that other wasn’t a bug, but my poor eyesight on 800x600 display… Couldn’t get out of it now… But. Done now.
(And, generally, this forum’s web is great!)

[quote=“HulaHoop, post:2, topic:3188, full:true”]and I don’t know what the Gentoo equivalent is for

The bug tracker categories are confusing indeed. Just try opening the tickets with an approximation of the affected component and let upstream sort it out.
[/quote]
Hmmh, not sure I understand. I opened a bug report for spice in freedesktop web already…
So what upstream do you mean?
Really, where to turn to? Remember the qxl wasn’t installed, and Whonix didn’t complain…

Yes on the host.

Oh ok. I thought you were filing on RedHat’s bugzilla where their software component list is a bit limited when tagging a ticket.

Thanks for helping. Please keep us updated on the progress of the tickets you filed.

I will. But on the missing qxl package while XML not complaining, it’s probably here and from you to learn about it…

Again, the:
x11-drivers/xf86-video-qxl
wasn’t installed. It probably couldn’t work. what functionality should have checked on it, and told the user…

Here, in my:
/etc/libvirt/qemu/Whonix-Gateway.xml

  <model type='qxl' ram='262144' vram='262144' vgamem='16384' heads='1' primary='yes'>
    <acceleration accel3d='no' accel2d='no'/>
  </model>

and the xf86-video-qxl had not been installed. Should it be mentioned in the KVM Wiki, or do I miss something.

Of the other issues, one I trust you solved, the accel2 and accel3…

But the debug howto… That takes more of a programmer, than what I can achieve at best, which is: a tester… I’ll try, but can’t promise much.

We already install this package in Whonix but its named differently: xserver-xorg-video-qxl vs xf86-video-qxl. Even its description says its the same package. Note that this package is guest only and has no relevance outside.

https://packages.debian.org/stretch/xserver-xorg-video-qxl

This package is built from the X.org xf86-video-qxl driver module.

I have done a lot of work studying and preparing Whonix, and I’ll show just the final steps (it’s been days of work ).

I got:

virsh # domdisplay Whonix-Workstation
spice://127.0.0.1:5901
virsh # domdisplay Whonix-Gateway
spice://127.0.0.1:5900
virsh # 

and that shows I did install something correctly.

However, I have a sans-dbus system, and while I’m fine having Whonix which KDE, which, IIUC has dbus as dependency, I don’t want to install dbus in my system (nor systemd, just to mention).

And my virt-manager is GUI-less. Well, in the sense of it’s own GUI.

Rather, my virt-manager can use virt-viewer instead.

Indeed I have been able to run tails in such sans-dbus virt-manager, with virt-viewer. [1] [2]

The short question is, can virt-viewer be used instead of virt-manager GUI with Whonix?

And the longer question, with the logs, may follow, if there is interest. And very gladly (but patience may be needed, old man here, work slowly).

[1] Tails - virt-manager
https://tails.boum.org/doc/advanced_topics/virtualization/virt-manager/index.en.html
[2] GUI-less (non-dbus) virt-manager (to run Tails in Gentoo)
https://lists.gt.net/gentoo/user/321797

Maybe just to draw attention, that with grsecurity hardened kernels, there was (sic!) this bug:
=sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM guests
597554 – =sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM guests
I wrote “there was” because that bug is kind of solved. Kind of. Because new versions of grsecurity, for kernels 4.9 simply (for workstations) do not enable the (let’s call it with that name:) “offending functionality” (because likely the story it’s wider and deeper; also beyond my competence)…
The:
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
must be in all hardened kernels that need to run VMs…
That is the likely cause that I couldn’t run Whonix in November last year…

And now… If only it can be run without dbus in the host system, i.e. with virt-viewer instead of the virt-manager’s own GUI… If only!

Thanks for keeping this thread updated. Grsecurity’s great features can go a lot further if only userspace devs get their act together.

I’m glad you appreciate it… But you don’t seem willing or are being forgetful of replying to whether Whonix can work without dbus in the host…
Anyway, I reached a dead end. After being unsuccessful in starting Whonix with virt-viewer, having all/any of these:
$ virt-viewer Whonix-Gateway
$ virt-viewer Whonix-Gateway
$ virt-viewer Whonix
got me this kind of response:

a GUI little window that pops up carrying the message:

“Failed to connect: No virtual machine found.” (without quotes)

and something like a the round road sign for direction forbidden (red with a
white dash in it).

I retried to virt-install and then virt-viewer tails.
And that failed too…
Then I thought it might be Whonix got in the way to Tails, and undefined, and eventually destroyed Whonix domains…

Well, maybe you remember to reply to me about virt-viewer and no-GUI virt-manager (i.e.: no-dbus)…
Regards!

Sorry I didn’t know you were addressing me. I thought you were posting info on various experimentation on Gentoo to help out others. In future please use @username so I don’t become confused

After checking it seems libvirt and virt-viewer are tightly integrated with systemd and D-bus (at least on Debian anyway). Unfortunately there is no way around that and that’s kind of annoying. Well there you have it. Now its GNU/systemd not GNU/Linux

Nope! Not that tightly. Pls. see the link (already given, and in these circles it would not be looked upon agreeably if I repasted it) to the:
“GUI-less (non-dbus) virt-manager (to run Tails in Gentoo)”
that I gave.
It is still possible in Gentoo! And Gentoo is often followed by the few non-systemd distros in its moves (such as the OpenRC being adopted in some, such as Devuan, the Debian non-systemd fork). [1]
Actually, I think I should have run virt-install to be able to run virt-viewer!
It must be possible.
Look, I have distroyed the domains, as I said, but I had been taking notes, and more: I had been using tripwire to take notice of all and any changes in the system, particulary the configuration files (along with find ./ -xdev -name '*' before and after and diff’ing, to get all the new files listed), to learn how these libvirt, qemu, and friends, install and work, and how Whonix-* gets deployed…
I will be able to restart from scratch (I use an simple from-dd-backup repeat-procedure-friendly total system backup).
I am now restarting all from scratch, the third time…
So, if you look up that page, should that be possible, using virt-install and than virt-viewer, the Gentoo installed no-dbus versions of those (the virt-manager and the virt-viewer with gtk±2 not gtk±3 dependency), to install and run Whonix?

[1] So pls. do take note. In longer time prospective, there will be others asking this same question. Unix is not dead yet. Don’t disregard that Subgraph is grsecurity-, not SELinux-, based, and that there is a push for basing Tails on grsecurity-hardening, not the NSALinux-hardening (I mean SELinux, but it must be stressed that NSA gave it to us )… I don’t want to start a discussion on systemd and NSALinux, but only want to draw attention that you are likely to be asked again the question that I ask here… and other related, certainly privacy-related, fundamental questions like my question here…

Why is my span of attention unstable (well, I’m 60, as I said…)

Just I noticed this fine line too late. Sorry! (Every now and then, I’m not distinguishing a tree here and there in the forest.)
And the tone of my so far 3-times edited reply previous to this one would have been in only some sentences a little warmer had I noticed with full attention “that fine tree” from the parable.
But no, nothing to add. Just:
it’s not GNU/systemd all over yet. Not yet, and will never be. Because Unix is not dead yet and must never be!

It’s very good that you managed to get it to work without systemd deps.
You still use the XML files included with Whonix right? It does more than just point to where the image files are.

Also yes SELinux is not system hardening at all - it doesn’t even attempt to strengthen the kernel. Its just a standalone MAC that can be easily bypassed or in some cases make the system more vulnerable to attack as shown in Spender’s work.

The only way so save Linux from Linus is grsecurity. But Linus’ team dealt with those guys (spender and PaX Team) so badly that they decided to teach them a lesson… And as a consequence, it’s Joe users that take the pains… No full RAP (Reuse Attack Protection) in the demo grsecurity unless you buy support…
And I don’t blame them… They kept fixing Linux, and for all the huge contribution, they couldn’t even make ends meet, at times spender (PaX Team is anonymous) approached poverty, IIUC…
And Linus is basking in almost luxury, in comparison… And is keeping Linux insecure, because, hey grsecurity wasn’t invented in his backyard…
They have, recently, started trying to use spender and PaX Team’s ideas, but without engaging with them…
However, it takes genii do deploy their code anew, without their help… And genii don’t just grow on trees, or do they?..

I work slowly. I just restored my system to start from scratch… Indefinite, little or not so little, time till I make the next move.

Following the instructions at the

miro@g0n ~ $ tar xvf Whonix-Gateway-13.0.0.1.4.libvirt.xz
Whonix-Gateway-13.0.0.1.4.xml
Whonix-Gateway-13.0.0.1.4.qcow2
Whonix_network-13.0.0.1.4.xml
miro@g0n ~ $ tar xvf Whonix-Workstation-13.0.0.1.4.libvirt.xz
Whonix-Workstation-13.0.0.1.4.xml
Whonix-Workstation-13.0.0.1.4.qcow2

I edited just these (see, the defaults are ‘yes’, not ‘no’):

g0n miro # grep -r accel /etc/libvirt/qemu/Whonix-*
/etc/libvirt/qemu/Whonix-Gateway.xml: <acceleration accel3d='no' accel2d='no'/>
/etc/libvirt/qemu/Whonix-Workstation.xml: <acceleration accel3d='no' accel2d='no'/>
g0n miro #

for reasons explained earlier in this topic.

miro@g0n ~ $ virsh -c qemu:///system define Whonix-Gateway-13.0.0.1.4.xml
Domain Whonix-Gateway defined from Whonix-Gateway-13.0.0.1.4.xml
`miro@g0n ~ $ virsh -c qemu:///system net-define Whonix_network-13.0.0.1.4.xml ` `Network Whonix defined from Whonix_network-13.0.0.1.4.xml`
miro@g0n ~ $ virsh -c qemu:///system net-autostart Whonix
Network Whonix marked as autostarted
`miro@g0n ~ $ virsh -c qemu:///system net-start Whonix` `Network Whonix started`
miro@g0n ~ $ virsh -c qemu:///system define Whonix-Workstation-13.0.0.1.4.xml
Domain Whonix-Workstation defined from Whonix-Workstation-13.0.0.1.4.xml
``
miro@g0n ~ $ ls -ld /var/lib/libvirt/images/
drwxr-xr-x 2 qemu libvirt 4096 2016-11-26 21:08 /var/lib/libvirt/images/
miro@g0n ~ $ ls -ld /var/lib/libvirt/
drwxr-xr-x 9 root root 4096 2017-02-27 23:25 /var/lib/libvirt/

And I moved the images as grsecurity admin (root is not much more powerful than normal user here):

miro@g0n ~ $ ls -la /var/lib/libvirt/images/
total 8974200
drwxr-xr-x 2 qemu libvirt 4096 2017-02-28 00:21 .
drwxr-xr-x 9 root root 4096 2017-02-27 23:25 ..
-rw-r--r-- 1 miro miro 107384668160 2014-05-06 00:00 Whonix-Gateway.qcow2
-rw-r--r-- 1 miro miro 107384668160 2014-05-06 00:00 Whonix-Workstation.qcow2
miro@g0n ~ $

(and I have also done the cleaning, where the instructions say so)

However, the next step I’m going to do after I have some sleep (it’s well past 01:30 past midnight, Central European Time).

I have GUI-less virt-manager because my system is sans-dbus. And maybe not even virsh is the right thing to use next, but virt-install, because it does what the GUI virt-manager does, only without GUI, and then lets virt-viewer start the GUI.

Of course, I might revisit the running of Tails first from the already given,
to make sure I can still run Tails like that:
GUI-less (non-dbus) virt-manager (to run Tails in Gentoo)
( link already given previously )

Just thought to post this first. Maybe I get advice/opinion on it.

I’ve done a lot of work figuring out the right grsecurity policy to set for virtualization generally:
Libvirt virtualization policies
https://forums.grsecurity.net/viewtopic.php?f=5&t=4675

( If the kind reader is advanced in setting RBAC grsecurity policies, (s)he will chuckle at my eventual finding of some solutions only in the very last diffs! Without those solutions, the above deployment, up to likely virt-install/virt-viewer run on it next, would not be possible, not as smooth as it went! )

The virtualization RBAC policies work fine, and I can run grsecurity fully deployed when going online with virtual machines, as well as iptables enabled (haven’t posted about the latter yet):

Devuan image in Qemu (9)
https://www.croatiafidelis.hr/foss/cap/cap-161015-qemu-devuan/qemu-devuan-9.php

There my Gentoo system shows fully functional, and secure, with qemu starting Devuan, official and unofficial (Refracta). I hope it will soon be fully functional, and secure, with Whonix.

Also, let me report that the bug mentioned some three posts ago has been solved. It was much less conspiratorial than I led to believe. Shame on me! See for yourself:

=sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM guests
https://bugs.gentoo.org/show_bug.cgi?id=597554#c75

Ah, readers here might be interested in my views for which folks from secure-os have confirmed that they are considering what I related to them:

[Secure Desktops] dbus, gnunet (was: unstable dnssec-root)
https://secure-os.org/pipermail/desktops/2017-February/000180.html

Good night for now!

Upon inspecting the logs for the post at grsecurity forums

https://forums.grsecurity.net/viewtopic.php?f=5&t=4675&p=17004#p17004

, which I came to do belatedly, having successfully deployed Tails (but without persistence ) in virtual machine, with grsecurity and iptables enabled, but only with pure Qemu:

https://www.croatiafidelis.hr/foss/cap/cap-161015-qemu-devuan/qemu-devuan-10.php

… After all my attempts at re-deploying it with virt-manager’s virt-install were unsuccessful, [upon inspecting the logs for that post at grsecurity forums] I noticed more interesting events in my cloned machine’s yesterday’s logs (
of the two same model hardware system, the cloned is the one that’s expendable and that I use for online --I build and install more permanently, under Air-Gapped conditions, in another machine, which I call master, and from it I clone, to the bit --in such way that the cloned partitions give the same hash as the original-- [and from it I clone] the other machine; on top of that, their system partitions are encrypted, so these methods do provide some security in themselves…
).

First, this is the script:

cat /usr/local/bin/TailsVM08.sh

#!/bin/sh
exec virt-install \
	--connect qemu:///system \
	--virt-type kvm \
	--name tails08 \
	--disk tails08.img \
	--memory 512 \
	--network network=default \
	--virt-type qemu \
	--video qxl \
	--channel spicevmc \
	$@

Pls. do notice what is relevant for this Whonix in Gentoo installation topic, and that is those lines in the script that will show to cause some “CRITICAL” and some “failed” printed on the screen… Notice:

--video qxl \
--channel spicevmc \

In the Whonix-Gateway.xml and Whonix-Workstation.xml there are lines to the same effect, but only in XML:

and

I do have Gentoo’s x11-drivers/xf86-video-qxl, app-emulation/spice, app-emulation/spice-protocol, and net-misc/spice-gtk installed in my system, but…

But this is what happened in the terminal:

$ TailsVM08.sh --cdrom tails-i386-2.10.iso 
WARNING  No operating system detected, VM performance may suffer. Specify an
OS with --os-variant for optimal results.

Starting install...
Creating domain...
|    0 B  00:00:00     

(virt-viewer:9916): GSpice-CRITICAL **: egl init failed: cannot create EGL context

(virt-viewer:9916): GSpice-CRITICAL **: egl realize failed: failed to activate context
                                    
$

Little use that tails08 was for some more time (I then started virsh, and “shutdown”, "destroy"ed and "undefine"ed it) one of the inactive, but installed, domains…

Little use was that it looked like this:

# virsh
Welcome to virsh, the virtualisation interactive terminal.

virsh # list
 Id    Name                           State
----------------------------------------------------

virsh # list --inactive --uuid --name
2823ce11-81b4-4c74-b465-2bb5980951c0 tails08                       
042b1507-6257-4e52-96b1-b9aef92e8b20 tails09                       
4e799823-f1cc-4fed-8ba0-7f345c4f4225 Whonix-Gateway                
12a4fae2-6585-4230-93ad-45e65ce3d438 Whonix-Workstation            

virsh #

Because after some searching with duckduckgo.com (and deep thinking; it didn’t just dawn pronto on me, I’m not particularly talented at all), the EGL context is the mouse and keyboard! And it was missing… Aaaargghh! I really could start the virtual machine – the domain–, but I wouldn’t be able to either type or click in it!

In case, as I believe, spice is essential to deploying Whonix, I’ll have to look more into what to try next. (Obviously reconsider the installation that I have, see the link to the “GUI-less (non-dbus) virt-manager (to run Tails in Gentoo)” that I already gave…

No, I’m not letting dbus into my system, no way! But the question is if it is possible to do without it, that really might show to be the question… Might be a good thing that my home distro is Gentoo, where there might be, with a lot of work and testing, good chances to accomplish this one another task to live without dbus… But who knows…

If anyone has any suggestions/advice, I’ll be glad to consider what they have to say!

I have successfully completed, as I posted in the previous post, all the steps up unto

PASTING:
Start[edit]

If you know Virtual Machine Manager, there is nothing special about starting Whonix VMs …
PASTED.

I’m almost certain that without a working spice and friends installation, the starting of Whonix can not work, but I will try it next… (the reader probably hasn’t yet notice that I like to create suspense, or has (s)he?)

Anyway, the next that I will try, and report about:

PASTING:
Command Line Interface (CLI)[edit]

Use

virsh -c qemu:///system start Whonix-Gateway

To start Whonix-gateway. Respectively

virsh -c qemu:///system start Whonix-Workstation

To start workstation
PASTED.

TBO I don’t have an idea what these commands are supposed to get going on my system…

Is that just going to get Whonix-Gateway and Whonix-Workstation running, but without anything GUI, and will it tell me to start it with virt-viewer?

Is there a video somewhere about it? I mean, a simple video, without the Schmoog (or the likes, and his parasitic “analytics” and “tagging” services) intrusion on my system? If I am to make it, there will be a video (and without parasitic intrusionals on you, just plain webm)… But for me to make it, you may have to be patient much longer yet… (and these are only my intentions and wishes, not a promise).

@miroR have you checked “heads” which is tails based on devuan with grsecurity

or

http://fz474h2o46o2u7xj.onion/about.html

No, I haven’t, but I sure wil! Thanks a bunch!

Probably unrelated but you will need to remove

    <acceleration accel3d='no' accel2d='no'/>

and close the model tag above it.

To start a VM with a gui display you will need to rely on libvirt and spice client which are tightly integrated.

virsh is the command line program that talks to libvirt to import and setup machines form XML files.