Error while building hardened-debian-xfce-15.0.0.1.0-2 - no Hardened-Debian.xml

onion_knight · April 29, 2019, 9:01am

While building hardened-debian-xfce qcow2:

sudo ./whonix_build --flavor hardened-debian-xfce --target qcow2 --build

Build breaks at ./build-steps.d/1150_export-libvirt-xml stage

cp: cannot stat '/home/user/Whonix/packages/whonix-libvirt/usr/share/whonix-libvirt/xml/Hardened-Debian.xml': No such file or directory

Indeed, the file does not exist:

ls Whonix/packages/whonix-libvirt/usr/share/whonix-libvirt/xml/
external_network.xml  Whonix-Custom-Workstation.xml  Whonix-Workstation.xml
internal_network.xml  Whonix-Gateway.xml

Workaround? Can be safely ignored?

Patrick · April 29, 2019, 9:20am

Yes, very much so.

It’s because there is no xml file for hardened debian yet. Hardened Debian in VMs is still underdeveloped that why it’s not ported to KVM yet. (I speculate it wouldn’t be hard once it progressed more.) I don’t think Hardened Debian KVM builds were attempted before. But due to generic written way of Whonix build script I don’t foresee too many issues.

Would you like to provide hardened debian KVM VMs? @HulaHoop

onion_knight · April 29, 2019, 9:23am

All clear, thanks!

HulaHoop · April 29, 2019, 9:39pm

For sure

Patrick · April 30, 2019, 10:08am

Please drop at https://github.com/Whonix/whonix-libvirt/tree/master/usr/share/whonix-libvirt/xml when convenient.

I guess it would be quite similar to https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Custom-Workstation.xml except for networking and dunno if something else.

Patrick · May 5, 2019, 6:51am

Patrick · May 5, 2019, 8:40pm

This is now included in git tag 15.0.0.1.1-developers-only, entirely untested.

might need adjustment for hardened debian.

Patrick · May 6, 2019, 1:07pm

Do hardend debian builds require its own network configuration file? If yes, could you please add /usr/share/whonix-libvirt/xml/Hardened-Debian-Network.xml to whonix-libvirt package? @HulaHoop

https://github.com/Whonix/Whonix/commit/f150da741dff9af0d56227389817225e245b6332

The network XML files

are not appropriate for hardend debian builds. I was wondering to use something like the following:

   if [ "$WHONIX_BUILD_TYPE" = "gateway" ] || [ "$WHONIX_BUILD_TYPE" = "workstation" ]; then
      sudo $SUDO_OPTS cp "$libvirt_source_kvm_file" "$libvirt_target_kvm_file"
      sudo $SUDO_OPTS cp "$libvirt_source_network_file_external" "$libvirt_target_network_file_external"
      sudo $SUDO_OPTS cp "$libvirt_source_network_file_internal" "$libvirt_target_network_file_internal"
   elif [ "$WHONIX_BUILD_TYPE" = "hardened-debian" ]; then
      sudo $SUDO_OPTS cp "$libvirt_source_kvm_file" "$libvirt_target_kvm_file"
   else
      error "Unsupported WHONIX_BUILD_TYPE '$WHONIX_BUILD_TYPE'!"
   fi

But may not be needed. Could be sorted in prepare_release function libvirt_compress anyhow which needs to be updated anyhow for redistributable hardened debian VM support.

HulaHoop · May 6, 2019, 2:01pm

No, I’ve configured it to use the existing ‘default’ NAT network. Unless there is an objection to this everything should work as is.