Hello!
I’m a big supporter of this project and want to add some features to the derivative-maker (–target qcow2). But first I would like to ask if this is even possible:
1.) Install and update Tor Browser in the Workstation
2.) Disable Setup Wizard for both Gateway/Workstation (no dialog boxes that require “Understood”)
If you could give me some hints on where to start, I will get to work right away.
Thank you so much!
Anything is possible as long as it’s Open Source. Nothing is done that couldn’t in principle be done manually.
To install Tor Browser is already the default.
That is derivative-maker command line option --tb closed which is already the default
See help-steps/parse-cmd for documentation of this.
(Just noticed --help is broken which I’ll fix in next point release.)
It installs the hardcoded version number from file:
./packages/kicksecure/tb-updater/usr/share/tb-updater/tbb_hardcoded_version
That is:
Already supports .skip files.
/usr/share/setup-dist/status-files/setup-dist.skipDepends.
Is it supposed to be a feature only quick and dirty for your private builds? In that case, you have many options:
Or a clean, redistributable source code modifcation that could become officially supported?
--disclaimer false--public-tor yesThat would be interesting.
--disclaimer false could result in a chroot script that does:
touch /usr/share/setup-dist/status-files/setup-dist.skip
--public-tor yes could result in a chroot script that adds:
/usr/local/etc/torrc.d/40_tor_control_panel.conf
DisableNetwork 0
next steps:
help-steps/parse-cmdhelp-steps/variables
env_vars_keep_list./packages/kicksecure/initializer-dist/usr/libexec/initializer-dist/chroot-scripts-post.d/anon_shared_inst_tb (--tb) might help as this is passed all the way from derivative-maker until the tb-updater postinst script to update-torbrowserHello Patrick!
Honor to meet you, I understand you are the OG here.
Sorry for the delay I wanted to make sure I understood your answer and thank you for the tips!
My solution would be to create an additional script in packages/initializer-dist/usr/libexec/initializer-dist/chroot-scripts-post.d/50_wizard
Simply containing the following:
#!/bin/bash
touch /usr/share/setup-dist/status-files/setup-dist.skip
Would that be enough?
One more question if you don’t mind. I want to stop the warning/disclaimer, but at the same time have Tor automatically connect on the Gateway, without showing the connection wizard.
After some digging I found out that packages/anon-connection-wizard creates and adheres to this config file: 40_tor_control_panel.conf
Am I correct in assuming that the anon wizard wouldn’t start and auto connect if I put a completed config in /usr/local/etc/torrc.d/40_tor_control_panel.conf? (I searched online but couldn’t find an example config to check what needs to be in there, but I’ll just grab it from inside Whonix)
So then my 50_wizard chroot script would look this:
#!/bin/bash
touch /usr/share/setup-dist/status-files/setup-dist.skip
#will contain actual config stuff once I find out what's in a used one lol
echo -e "....." > /usr/local/etc/torrc.d/40_tor_control_panel.conf
Is it supposed to be a feature only quick and dirty for your private builds? In that case, you have many options
Again, thank you for your time. My goal is to setup a build server that spits out fresh builds whenever a new tag is available. These ready-made images will then be available for download globally, but with a specific focus on Iran and China. That’s why I want to skip wizards, so people can just plug and play instantly. For now the dirty solution will suffice until I can confidently produce builds without errors locally.
When I’m done I’d be glad to share those resources with you guys in case you might have additional uses for it.
Use the normal way to create the file and then look what’s there. It’s also still only a Tor configuration file. Also what needs to be in that file was already answered.
Hello, yes I already grabbed the config from inside Whonix.
DisableNetwork 0 disables the anon-wizard but in order to auto connect you need an additional value.
Thank you @Patrick, you are so far ahead that your original answer already contained all the answers, sorry for being too stupid to see it. 
For anyone else wondering, in order create a .skip file or add configs/scripts to the actual VM filesystem, you need to do it with a post.d chroot script:
packages/kicksecure/initializer-dist/usr/libexec/initializer-dist/chroot-scripts-post.d/50_chroot_script
It’s a little confusing, because the initializer-dist/…/chroot-scripts-post.d directory which is where all the chroot scripts are located and run from, is actually a package not a build step.
Additionally, every build step uses this command to find the current, relative path:
MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
But you need the actual $CHROOT environment variable, which is only set in the 4300_run-chroot-scripts-post-d build step, to engage the filesystem.
$SUDO_TO_ROOT $CHROOT run-parts --verbose --exit-on-error "/usr/libexec/initializer-dist/chroot-scripts-post.d/"
It’s brilliantly crafted. @Patrick , @adrelanos and all the people who wrote these scripts are legit geniuses. Please don’t be too annoyed with mortals like me asking dumb questions.
This was also helpful in learning more about the derivative-maker:
I am gonna fork the repo and would like to make my build server available to the Whonix team when it’s all set up. What you are sharing with the world here is truly amazing.
No worries.
james1 via Whonix Forum:
DisableNetwork 0disables the anon-wizard but in order to auto connect
you need an additional value.
You get that by either:
A) Learning Tor configuration (unspecific to Whonix). Or,
B) Using the GUI tools in Whonix to create these files and then by
looking at the file contents.
Indeed. These are contained in a package but only executed by this build-step:
4300_run-chroot-scripts-post-d
$CHROOT variable is available from all build-steps. It’s defined in help-steps/variables.
If it was possible to sanely enable networking by default to make it work in all regions, this would be the default. It’s not as if the connection wizard is there as a purposeful annoyance or that abolishing it through automation hasn’t been considered. There’s no 1 fits all solution that could be applied by default.
My goal is to setup a build server
Builds are local and not automated in the cloud to avoid the build server being compromised and injecting malware into the images.
In this case you would need to remove the Whonix trademark as per Whonix Binary Images Policy.
Trademark removal could be automated. Or trademark could be opt-out by default and only opt-in for official builds.
Also in this case, clean solutions are required. I don’t want tot assign a lot time in putting great user support effort into building hackish solutions.
In this case, you’d need to contribute more pull requests (source code enhancements) than support request for clarification. Otherwise this is only a feature request and will take a long time until this gets implemented, if ever.
related to feature requests: Community Feedback
In this case you would need to remove the Whonix trademark as per Whonix Binary Images Policy.
Trademark removal could be automated. Or trademark could be opt-out by default and only opt-in for official builds.
I see. Well, I don’t want to rebrand anything, because all the credit should go to the real maintainers/creators.
I’d also be fine with these builds serving only for testing purposes, while I will just use a referer link to the official Whonix images on your Website. I should probably clarify, we’re assisting a human rights organization that focuses on net neutrality and freedom of speech. Having been a long time supporter of Whonix, I offered to help setting up ways to make it more available in certain countries.
My server is ready for deployment. I am about to finish my Debian Dockerfile that will build Whonix images with perm loop containers. Just finishing up some minor details about systemd which is considered sacrilege in Docker terms, but managing apt-cacher-ng otherwise is too much work . I’ll probably be done by tomorrow.
I’d be happy to contribute in any way I can, because I think what you guys are doing here is packaging literal freedom in qcow2/ova format and distributing it around the world.
Interesting. Are you authorized to disclose which one or make “official first contact”?
I’d be happy to contribute in any way I can, because I think what you guys are doing here is packaging literal freedom in qcow2/ova format and distributing it around the world.
Wow, glad to hear!
Do you guys colab with any of these type of organizations at all?
I’d be happy to set up first contact.