Apt-get can't connect when trying to update after upgrading Whonix 15 TemplateVM and apparmor-profile-everything.

nonpronoob · March 1, 2020, 9:59pm

Hello, I recently ran ‘sudo apt-get update && sudo apt-get dist-upgrade’ on whonix 15 template for qubes and after the upgrade when I try to run ‘apt-get update’ again I get this:

W: Failed to fetch tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/dists/buster/InRelease Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host) W: Some index files failed to download. They have been ignored, or old ones used instead.

Also after updating apparmor-profile-everything, ‘sdwdate’ no longer syncs and can’t connect and when I try to enforce all apparmor profiles I get this error:

ERROR: Profile for /lib/systemd/** exists in /etc/apparmor.d/init-systemd and /etc/apparmor.d/init-systemd

I’d appreciate any help if this isn’t only qubes related.

Patrick · March 2, 2020, 7:49am

apparmor-profile-everything [and hardened-kernel] isn’t tested / supported in Qubes(-Whonix) at time of writing.

//cc @madaidan

nonpronoob · March 2, 2020, 8:04am

Hi Patrick, thanks for replying. I just want to mention that I reinstalled a fresh whonix template without the apparmor-profile-everything package but after upgrading, it still gave me the same error after trying to run apt-get update from the whonix ws template.

Patrick · March 2, 2020, 8:12am

Did you enable onion sources?

Be aware that enabling onion repositories may cause system updates to periodically fail due to their unreliability [archive]. If this becomes an issue, it is encouraged to Re-enable Clearnet Repositories so packages can be updated.

nonpronoob · March 2, 2020, 8:17am

I sure did. I had to change it back since while upgrading it asks to replace the debian.list file but I checked it again made sure everything was correct so that only the onion repos are not commented out.

nonpronoob · March 2, 2020, 7:48pm

I even tried updating with the clearnet repos but it didn’t work. I’m wondering if I’m the only one having this issue and what could be causing it.

nonpronoob · March 5, 2020, 10:28pm

All the other templates and even dom0 are able to update just fine, it’s only Whonix ws and gw that won’t connect when trying to update. Are there any logs that I could check or ways to figure out how to fix this?

Patrick · March 6, 2020, 6:55am

How did you (re-)install Qubes-Whonix?

Please make sure you install according to instructions, i.e. use salt (mentioned in documentation).

To make sure all dom0 settings are correct, in dom0, run.

sudo qubesctl state.sls qvm.anon-whonix

Patrick · March 6, 2020, 6:59am

Also before that, upgrade dom0.

There’s been some dom0 bugs. Check this out:

github.com/QubesOS/qubes-issues

networking broken, /etc/xen/scripts/vif-route-qubes fails in Whonix when IPv6 is enabled

opened 05:51AM - 20 Jun 19 UTC

closed 05:10AM - 06 Oct 19 UTC

adrelanos

This issue affects Qubes-Whonix and was triaged by @marmarek, see: https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/21 @marmarek Configuring vif* interfaces is responsibility of /etc/xen/scripts/vif-route-qubes script called by xendriverdomain service,...

C: Whonix C: Xen P: default T: bug r4.0-bullseye-stable r4.0-buster-stable r4.0-centos7-stable r4.0-fc29-stable r4.0-fc30-stable r4.0-fc31-cur-test r4.0-jessie-stable r4.0-stretch-stable r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-fc29-cur-test r4.1-fc30-cur-test r4.1-fc31-cur-test r4.1-stretch-cur-test

And after that, run whonixcheck sys-whonix and whonix-gw-15.

And also whonixcheck --verbose might show some hints.