Can you reproduce the same issues in Whonix KVM?
1 Like
I can enter the cli shell from host console or through the option text console in VMM.
I can boot into recovery mode OK no errors of any kind.
1 Like
I’ve run into an issue today.
I’m running Whonix 15.0.0.8.7 on an Ubuntu Server 18.04 host over KVM (libvirt 4.0.0).
Following the KVM Guide[1] I was able to get everything up and running(*), including logging into both Gateway and Workstation VMs via console with the command virsh console.
After running whonixsetup and apt upgrade I wasn’t able to log in anymore as a regular user in both VMs, getting a “Permission denied” after entering the correct password. The only way to get access again was by rebooting the VM in recovery mode, logging in as root.
After some help from Patrick on the Whonix Telegram Group the issue could be traced to the recent addition of Console Lockdown[2]. Adding the terminal ttyS0, which you get connected to using virsh console, to the list of allowed consoles for the console group in /etc/security/access-security-misc.conf[3] resolved the issue.
(*): Had to change a line in the Workstation XML; <codec type='output'/> to <codec type='micro'/>, since output is only supported since libvirt 4.4.0[4]
[1]: whonix /wiki/KVM
[2]: whonix /wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
[3]: github /Whonix/security-misc/blob/master/etc/security/access-security-misc.conf
[4]: libvirt /formatdomain.html#elementsSound
2 Likes
Serial console access does not seem to be working for me with a fresh install of Whonix 17.2.0.7 via KVM. I can start the gateway and the workstation with virsh start, and i can connect to their graphical interfaces with virt-viewer, but virsh console gets me:
Connected to domain ‘Whonix-Gateway’
Escape character is ^] (Ctrl + ])
And then nothing. Same if i start the VMs through virt-manager.
Running systemctl list-units | grep getty inside the gateway VM reports that the getty service is running on tty1.
virsh dumpxml includes:
<serial type='pty'>
<source path='/dev/pts/5'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/5'>
<source path='/dev/pts/5'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
/etc/default/grub does not contain any uncommented lines mentioning a console; it does contain:
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
and:
#GRUB_TERMINAL=console
There is no sign of a console in /proc/cmdline.
Has this feature been removed? Is it broken? Do i need to take extra steps to enable it?
Always bad to have instructions in the forums and not in the wiki. So that needs to be fixed.
Package serial-console-enable should set up everything needed inside the VM.
sudo apt update
sudo apt install serial-console-enable
Please let me know if that helps.
Thanks!
This package should be installed inside the Whonix-Workstation VM, right?
I have installed it, but virsh console still doesn’t work - as before, the console opens, but no prompt is printed. I tried rebooting the VM (via its GUI), still no joy.
Also, if you need to install this inside the VM, isn’t there a catch 22 situation here? How do you get access to the VM without a serial console? You need to have the GUI working. But a valuable use of a serial console is in situations where you can’t run a GUI, like a headless server.
EDIT: Ah, i see.
twic via Whonix Forum:
Thanks!
This package should be installed inside the Whonix-Workstation VM, right?
In the VM where you want to use it.
I have installed it, but virsh console still doesn’t work - as before, the console opens, but no prompt is printed. I tried rebooting the VM (via its GUI), still no joy.
Also, if you need to install this inside the VM, isn’t there a catch 22 situation here? How do you get access to the VM without a serial console? You need to have the GUI working. But a valuable use of a serial console is in situations where you can’t run a GUI, like a headless server.
Yeah. That’s a problem.
EDIT: Ah, i see.
Indeed.
We have a wiki section on it and I just tested it and it’s working for me:
1 Like
But are there any steps missing from the wiki?
Is a user required to follow the link in the following sentence?
To interact with the Whonix-Workstation via serial console, run.
And then follow some steps only mentioned in the forums?
Assuming the serial-console preparation package is installed, they literally need to paste a one-liner command to interact with it from the host. It will even say “escape character” whatever.
Then the wiki needs to point out that the package needs be be installed. Otherwise this will be highly confusing for users.
I updated the instructions just now:
KVM, Command Line Interface (CLI)
Is this now complete? No more steps from the forums required?
sudo setup-dist: Is this still required? Should no longer be required in recent releases.
Post How do I enter the whonix shell from cli - #3 by HulaHoop also shows KVM XML modifications. Does the user need to do the XML edit?
Yeah. That’s a problem.
I’m assuming that would be my problem right now. The same one foieac5 had in 2019 if I didn’t misunderstand. I am running KVM-Whonix on a server without GUI and I’m stuck at Escape character is.... I
Is there a way to get this working with the normal KVM release of Whonix?
Thank you 
Unspecific to Whonix.
Can be investigated as per:
Try to find out how to do this with Debian. Then you’ll most likely be able to do the same with Whonix KVM.
No. Not needed. Edited above post to add:
KVM Serial Console updated, tested and its functional.
1 Like
Yay! 
1 Like