[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

How to install Whonix VM from preseed or via vagrant?

Hello,
i wanted to ask, are there descriptions, how to build a whonix image or VM either from a debian base system or via sth like preseed or vagrant? I would like to think if i can automate :slight_smile:

Is this what you’re looking for?

preseed isn’t required. preseed if for Debian installer based ISOs, but Whonix doesn’t have an ISO yet. [1]

A VM isn’t required either for building. That’s up to the builder and optional.

The build process is fully automated by design. Unless there’s a bug, there shouldn’t be any questions that a builder would have to manually answer.

If you start at Build and Update Whonix ™ from Source Code it will take guide you from there and you’ll see what’s actually needed.

There are also lots of options for customization. The build documentation links to a page which goes into some major customizations that might be useful. Also most of the variables can be customized to influence the build process and even custom build steps could be injected. [2] Documentation of the might be lacking because usually build customizations aren’t popular. Let me know if you need something specific.


[1] Whonix-Host Operating System Live ISO, Whonix-Host Installer
[2] Whonix ™ Source Code Introduction

First of all, i think you’re doing massive important work and whonix is working nicely, once set up. that being said:

  • From a devopsy view, https://www.whonix.org/wiki/Dev/Build_Documentation/VM is not really what i would call, automated. But perhaps i do not have the full perspective of the problem

  • it’s also not about customiziation, but for building it myself, so i can be sure, i have the correct stuff and that it works correctly. like going from reproducible builds to reproducible installs. :slight_smile:

for example, for a newcomer like myself, it’s hard to debug if the UI in virt-viewer for whonix-gateway does not come up and i cannot finish the installation. I knew in the end to finish it in the comandline with “virsh console”, but many people would not know how to do this i suppose.

actually i do not want to critize you because i can feel how this was tremendous work to build. But yesterday i was quite a bit puzzled about a few things there :slight_smile: and thanks for the links, because i want to build it from scratch for myself at least once :smiley:

Thank you!

No worries. Not easily offended here. :slight_smile: Thank you for your feedback!

I see.

Well, once you’re running whonix_build script it’s fully automated.

The steps before that indeed are not.

General overview, good to know but not something that could be automated, I think.

Not sure whonix_build should do that.

That might be intrusive.

Primarily it is;

sudo apt install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev fasttrack-archive-keyring

Well, builders need to install git anyhow to acquire the source code. I don’t know how that could be further automated. Well, there could be a script that builders download, make executable and run. That would be replacing one kind of complexity with another. That script however might make the process look more complicated then it is.

Fundamentally manual process. I don’t see how it could be automated.

It’s optional and I don’t see how it could be automated. If the source code from git isn’t gpg verified then the script that automated would be optional to manually verify. No gain in automation.

Advanced users that already know how to use git and how to perform digital software verification using OpenPGP (gpg) do not need to strictly follow this documentation. See footnote(s) for details. [1]

Due to digital software verification instructions and Software Signature Verification Usability Issues these instructions might look more complicated then they actually are.

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

Steps concerning digital software verification are pointed out as “This step is recommended for better security, but is not strictly required. (See Trust.)”

When verifying digital software signatures, these instructions will be slightly more complicated but therefore even more secure.

Part of helping how to even start the automated part.

Similar to above.

Similar to above.


For user created builds supposed to be for own use in production or even redistribution I don’t see how complexity could be reduced short of not mentioning digital software signature verification.

One way could be to not ship the source code though git but perhaps a signed tarball. But that also adds extra complexity.

It’s 99+% automated but until the automation whonix_build runs there are a few administrative / explanatory steps, some of them optional for better security where I wouldn’t know how to further automate these.

After having written all this I might have misunderstood. My answer above was thought from a developer perspective “how to better automate builds using the build script”. This might be more about how to automate the installation.

Whonix ™ VM Build Documentation might not be helpful for you. That’s just how to use Whonix build script. That is already not required when downloading the binary images from Whonix ™ for KVM.

If using Whonix ™ VM Build Documentation you’d still have to use Whonix ™ for KVM on top of that. No simplification indeed.

What you meant is that the steps on the Whonix ™ for KVM are plenty and manual?

Yes, indeed. There’s no automation available for these.

Whonix ™ for Windows, macOS, Linux inside VirtualBox is easier. As easy as that is probably possible. At least I wouldn’t know how to simplify it further given limitations caused by upstream. [1] VirtualBox installation instructions are simpler because VirtaulBox has an ova import feature.

virt-manager for KVM has no ova import feature. → Enhance import-export with OVA | oVirt

There’s no other auto automation available (such as vagrant or a script or however that could be done given upstream lacking the OVA feature). KVM is maintained by @HulaHoop, not me, so I might not be able to say much more.


[1] Software Signature Verification Usability Issues and Proposed Solutions

you explained already the rest and there’s indeed some stuff i have to learn about still :smiley:

one question though:

virt-manager for KVM has no ova import feature.

is using vagrant not an option for you? at least it could provide the storage/automated download of boxes?

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]