Build Error - APT - Debian base on Docker

Trioxin · February 14, 2021, 2:06am

I’m trying to install Whonix in Docker. I have created a repo.

My Dockerfile (Debian Buster) seems to successfully prepare for the build. During execution of the build script

sudo /home/user/Whonix/whonix_build --flavor whonix-gateway-cli --target root --build'

I get what looks like an apt error:

+ sudo --non-interactive -u root git submodule update --init --recursive --jobs=200
+ true 'INFO: Updated git sub modules.'
+ mkdir -p /usr/lib/security-misc
+ cp /home/user/Whonix/packages/security-misc//usr/lib/security-misc/apt-get-wrapper /usr/lib/security-misc/apt-get-wrapper
+ cp /home/user/Whonix/packages/security-misc//usr/lib/security-misc/apt-get-update-sanity-test /usr/lib/security-misc/apt-get-update-sanity-test
+ /home/user/Whonix/packages/security-misc//usr/lib/security-misc/apt-get-wrapper -o Acquire::http::Proxy=http://127.0.0.1:3142 -o Acquire::https::Proxy=http://127.0.0.1:3142 -o Acquire::tor::Proxy=http://127.0.0.1:3142 -o Acquire::Languages=none -o Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled=false -o Apt::Install-Recommends=false -o Acquire::Retries=3 -o Dpkg::Options::=--force-confnew -o Dir::Etc::sourcelist=/home/user/Whonix/build_sources/debian_stable_current_clearnet.list -o Dir::Etc::sourceparts=- update
Ign:1 http://HTTPS///deb.debian.org/debian-security buster/updates InRelease
Ign:2 http://HTTPS///deb.debian.org/debian buster-updates InRelease
Ign:3 http://HTTPS///deb.debian.org/debian buster InRelease
Ign:1 http://HTTPS///deb.debian.org/debian-security buster/updates InRelease
Ign:2 http://HTTPS///deb.debian.org/debian buster-updates InRelease
Ign:3 http://HTTPS///deb.debian.org/debian buster InRelease
Ign:1 http://HTTPS///deb.debian.org/debian-security buster/updates InRelease
Ign:2 http://HTTPS///deb.debian.org/debian buster-updates InRelease
Ign:3 http://HTTPS///deb.debian.org/debian buster InRelease
Err:1 http://HTTPS///deb.debian.org/debian-security buster/updates InRelease
  Could not connect to 127.0.0.1:3142 (127.0.0.1). - connect (111: Connection refused)
Err:2 http://HTTPS///deb.debian.org/debian buster-updates InRelease
  Unable to connect to 127.0.0.1:3142:
Err:3 http://HTTPS///deb.debian.org/debian buster InRelease
  Unable to connect to 127.0.0.1:3142:
Reading package lists...
W: Failed to fetch http://HTTPS///deb.debian.org/debian-security/dists/buster/updates/InRelease  Could not connect to 127.0.0.1:3142 (127.0.0.1). - connect (111: Connection refused)
W: Failed to fetch http://HTTPS///deb.debian.org/debian/dists/buster-updates/InRelease  Unable to connect to 127.0.0.1:3142:
W: Failed to fetch http://HTTPS///deb.debian.org/debian/dists/buster/InRelease  Unable to connect to 127.0.0.1:3142:
W: Some index files failed to download. They have been ignored, or old ones used instead.
++ errorhandlergeneral ERR

Why is the build script trying to hit the malformed URLs like http://HTTPS///deb.debian.org/debian ?

Patrick · February 14, 2021, 1:28pm

Not malformed. These are consumed by apt-cacher-ng.
apt-cacher-ng should be running on 127.0.0.1:3142
apt-cacher-ng should have been installed already during step build-steps.d/1120_prepare-build-machine.

Docker-Whonix/Dockerfile at master · bitnom/Docker-Whonix · GitHub

When building from source code, adding the Whonix signing key has only one optional use (recommended for better security): verification of Whonix source code.

There is no need to add Whonix signing key to /etc/apt/trusted.gpg.d when building from source code.

For a proper implementation, it shouldn’t be using --target root. Rather --target raw initially during development. And then add another build step to to convert to the docker image format, which I haven’t looked into.

Btw I won’t be spending time on personal projects / hacks.

Trioxin · February 14, 2021, 8:49pm

Thank you for that. In regards to hacks, I’ll do the work if you can just point me back in the right direction when I get stuck. In exchange, I’ll start making donations. I’m getting paid (Probably not enough) to do this so I’ll pass some on to Whonix.

Patrick · February 15, 2021, 11:10am

Please HOLD with donations. I am not sure there is such a thing such as a conditional donation but I am not accepting conditional donations without prior agreement.

Why? That wouldn’t scale if anyone could conditionally donate like 5 USD and then expect complex things being maintained such as RPi support which and/or any tasks which require several hours of work and/or ongoing maintenance hours.

A conditional donation seems more like a contract, payment for service/goal.