How do I enter the whonix shell from cli

@HulaHoop do you offer professional support like Patrick does? I feel I’m just missing some small thing whether it is building the wrong version (I’ve tried master branch, and tags 15.0.0.2.9 / 15.0.0.0.9 w/ packages/serial-console-enable added to the build.

-Everything built ok (I think)
-Archived the images and XML files (tar -cvSzf), which produced an archive ~1,1GB (same size as your official ones).

-Untarred then
-Defined them w/ virsh

  • Start w virsh
  • virsh console hangs, displaying ‘Escape character ^]’

So if you happen to offer professional support, I’d be interested.

For matters concerning paid support please discuss this with @Patrick and the task will be reassigned as needed.

1 Like

I got it!!! Lets fucking gooooo!

My little trick was to open it with virt-manager gui, modify the /etc/default/grub lines:

GRUB_CMDLINE_LINUX_DEFAULT=“console=ttyS0”
GRUB_TERMINAL=console

Then rearchive the files and transfer it to the server, and install the vm there.

I guess instead of doing it that way, I could have edited that file in the Whonix_Gateway_CLI_Image directory while it was building.

But wooohooooo! Thanks guys.

From where I’m sitting it works for me without all the acrobatics.

Oh ok, I must have done something wrong while building it then

Hey, can you tell me are you using the master branch?

And Then do you have to add the package or just build with the flags? e.g. allow uncomitted & untagged?

Yes

I built it standalone for testing. It will be available as part of a point release so I won’t be fiddling with uncommitted and untagged code.

Ok.

I keep getting this error

+ export 'DEBUILD_LINTIAN_OPTS=--suppress-tags testsuite-autopkgtest-missing --quiet --pedantic --info --display-info'
+ DEBUILD_LINTIAN_OPTS='--suppress-tags testsuite-autopkgtest-missing --quiet --pedantic --info --display-info'
+ local make_lintian_exit_code=0
++ lintian --suppress-tags testsuite-autopkgtest-missing --quiet --pedantic --info --display-info /home/user/whonix_binary/genmkfile-packages-result/anon-apps-config_2.7-1_amd64.changes
+ lintian_output='I: anon-apps-config source: debian-watch-contains-dh_make-template (line 5)
N: 
N:    The watch file contains a standard template included by dh_make. Please
N:    remove them once you have implemented the watch file.
N:    
N:    Severity: wishlist, Certainty: certain
N:    
N:    Check: watch-file, Type: source
N: '
+ '[' '!' '' = 'I: anon-apps-config source: debian-watch-contains-dh_make-template (line 5)
N: 
N:    The watch file contains a standard template included by dh_make. Please
N:    remove them once you have implemented the watch file.
N:    
N:    Severity: wishlist, Certainty: certain
N:    
N:    Check: watch-file, Type: source
N: ' ']'

Unrelated. It’s due to a Debian package (lintian) upgrade. Will be fixed in future.

Ok, so guessing its ok to set make_use_lintian=false

This is now documented here:

https://www.whonix.org/wiki/KVM#Command_Line_Interface_.28CLI.29

What’s the status of this feature? Functional as per documentation?


Installed package serial-console-enable in VirtualBox and saw the following warning during installation.

Warning: Requested serial terminal but GRUB_SERIAL_COMMAND is unspecified. Default parameters will be used.

Note: this is most likely not a VirtualBox specific warning.

What’s this warning about? Can we, should we fix it?

Default parameters will be used.

What are the default parameters? Are these safe? I.e. could non-root users gain root through use of the serial console?

Quote GNU GRUB Manual 2.12

‘GRUB_SERIAL_COMMAND’

A command to configure the serial port when using the serial console. See serial. Defaults to ‘serial’.

Looks like serial console could work from grub boot menu too. Pretty cool. Could you try please?

Needs a fresh build of a newer branch with the host side settings enabled to have effect. This hinges on other stuff that’s being developed and tested (locked root and more) so no rush for you.

Links I;ve seen so far say non-root does not have sufficient privlege to access serial console - considered a device:

What function/command should I test?

1 Like

15.0.0.4.9 looks like a good candidate for release.
(Whonix VirtualBox 15.0.0.4.9 - Release Candidate - Testers Wanted!)
Probably good for Whonix KVM testing too.

Serial console during grub boot menu generally. Just for a complete solution for use without any GUI. Allowing one to boot into recovery mode without requiring to choose grub boot menu using GUI. For completeness sake of this feature.

1 Like

Quote Whonix KVM 15.0.0.4.9 - Point Release

@HulaHoop

In other words, KVM serial console access now sorted.

1 Like

Can you reproduce the same issues in Whonix KVM?

1 Like

I can enter the cli shell from host console or through the option text console in VMM.

I can boot into recovery mode OK no errors of any kind.

1 Like

I’ve run into an issue today.
I’m running Whonix 15.0.0.8.7 on an Ubuntu Server 18.04 host over KVM (libvirt 4.0.0).

Following the KVM Guide[1] I was able to get everything up and running(*), including logging into both Gateway and Workstation VMs via console with the command virsh console.
After running whonixsetup and apt upgrade I wasn’t able to log in anymore as a regular user in both VMs, getting a “Permission denied” after entering the correct password. The only way to get access again was by rebooting the VM in recovery mode, logging in as root.

After some help from Patrick on the Whonix Telegram Group the issue could be traced to the recent addition of Console Lockdown[2]. Adding the terminal ttyS0, which you get connected to using virsh console, to the list of allowed consoles for the console group in /etc/security/access-security-misc.conf[3] resolved the issue.

(*): Had to change a line in the Workstation XML; <codec type='output'/> to <codec type='micro'/>, since output is only supported since libvirt 4.4.0[4]

[1]: whonix /wiki/KVM
[2]: whonix /wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
[3]: github /Whonix/security-misc/blob/master/etc/security/access-security-misc.conf
[4]: libvirt /formatdomain.html#elementsSound

2 Likes