[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Problems on upgrading to Whonix 11

  1. Dialog will run up CPU to 100% in both workstation and gateway VMs. I thought this daemon was related to wireless networking?

  2. Tor’s control port cannot be reached from workstation VMs. Whonixcheck in gateway says “File /var/run/control-port-filter-python/pid does not exist”, everything else is okay. /etc/torrc in gateway just has the DisableNetwork 0 line uncommented w/o any other changes. Here’s the output of whonixcheck -v in the gateway:

user@host:~$ whonixcheck -v whonixcheck verbose output... Script running as user [INFO] [whonixcheck] Pin torproject.org certificate: disabled. [INFO] [whonixcheck] Root Check Result: Ok, not running as root. [INFO] [whonixcheck] Check Initializer Result: /var/lib/whonix-initializer/status-files/first_run_initializer.fail does not exist, ok. [INFO] [whonixcheck] Check Virtualizer Result (debug): systemd_detect_virt_result: xen [INFO] [whonixcheck] Check Virtualizer Result: Unsupported Virtualizer xen xen-hvm detected, but WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER is set, continuing. [INFO] [whonixcheck] KVMClock Result: /sys/devices/system/clocksource/clocksource0/current_clocksource exist, is xen, not kvm-clock, ok. [INFO] [whonixcheck] IP Forwarding Result: /proc/sys/net/ipv4/ip_forward is 0, ok. [INFO] [whonixcheck] Check whonixsetup Result: done, ok. [INFO] [whonixcheck] Tor Check Result: "DisableNetwork 1" in /etc/tor/torrc commented out, ok. [INFO] [whonixcheck] Tor Config Check Result: /etc/tor/torrc, ok. [INFO] [whonixcheck] Tor Pid Check Result: Pid 16555 running., ok. [INFO] [whonixcheck] Check Package Manager Running Result: None running, ok. [ERROR] [whonixcheck] Control Port Filter Proxy Test Result: File /var/run/control-port-filter-python/pid does not exist. Please report this Whonix bug!

And here is running sudo whonixsetup -v from a workstation VM:

user@host:~$ whonixcheck -v whonixcheck verbose output... Script running as user [INFO] [whonixcheck] Pin torproject.org certificate: disabled. [INFO] [whonixcheck] Root Check Result: Ok, not running as root. [INFO] [whonixcheck] Check Initializer Result: /var/lib/whonix-initializer/status-files/first_run_initializer.fail does not exist, ok. [INFO] [whonixcheck] Check Virtualizer Result (debug): systemd_detect_virt_result: xen [INFO] [whonixcheck] Check Virtualizer Result: Unsupported Virtualizer xen xen-hvm detected, but WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER is set, continuing. [INFO] [whonixcheck] KVMClock Result: /sys/devices/system/clocksource/clocksource0/current_clocksource exist, is xen, not kvm-clock, ok. [INFO] [whonixcheck] IP Forwarding Result: /proc/sys/net/ipv4/ip_forward is 0, ok. [INFO] [whonixcheck] Check whonixsetup Result: done, ok. [INFO] [whonixcheck] Tor Check Result: "DisableNetwork 1" in /etc/tor/torrc commented out, ok. [INFO] [whonixcheck] Tor Config Check Result: /etc/tor/torrc, ok. [INFO] [whonixcheck] Tor Pid Check Result: Pid 16555 running., ok. [INFO] [whonixcheck] Check Package Manager Running Result: None running, ok. [ERROR] [whonixcheck] Control Port Filter Proxy Test Result: File /var/run/control-port-filter-python/pid does not exist. Please report this Whonix bug!

The control port package is definitely installed and I even ran apt-get install --reinstall

  1. Perhaps conversely, I was able to connect to my XMPP hidden service w/ xmpp-client (runs on port 5222 like usual–btw why is there no xmpp related lines in /usr/share/tor/tor-service-defaults?). Since I use a separate VM for this, I know Tor will default to IsolateAddr, but I’d like to know how I can configure this myself. In fact, to be totally honest (and let me prefix this by saying Patrick and the Whonix team you’ve done awesome work and I so much appreciate it) I’ve found the documentation to be rather unorganized and incomplete. This is getting into another problem that I’ll cross-reference https://groups.google.com/forum/#!topic/qubes-users/TeSOW-5IisM as this is no longer so much related to upgrade difficulties.

  2. Pond has not been building correctly on Whonix 11 workstation even though it does on Debian 8 regular VM. Thus I’ve been building it there and then switching the root VM. Go is saying there is not buildable Go source in the Pond source dir under the $GOPATH. Same version of Go and everything.

  3. timesync is not working in gateway 11, but not workstation 11.

Edit: s/sdwdate/timesync

I just found the Whonix 11 builds hiding in the Qubes yum repo and I’m happy to say the two I chose are working fine. I do have a question regarding these though.

What’s the difference between the gw-3.0.3, gw-minimal-3.0.3, and gw-experimental-3.0.3?

Glad you’re making GNOME templates, but I must ask why it’s significanlty fatter over the KDE one. I would guess they would be about the same size unless you’re also including more applications in the GNOME image.

Still not sure what went wrong with the upgrade, but have a feeling it might be a result of me cutting what I thought were non-essential packages. I mostly went with ones like kwrite, kmixer, and thunderbird, but I think this removed some dependencies that were useful on their own during apt autoremove. Not sure, but don’t think debugging would be particularly useful at this point w/o the log and with my messing with the template. From now on:

(1) I’m going to not remove any packages from the template.
(2) Next time I do something like this I will set tmux to log the process, for later analysis in case of error.

For upgrading, did you use https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11 instructions? Those contain specific commands required to fix the control port fitler issue.

What's the difference between the gw-3.0.3, gw-minimal-3.0.3, and gw-experimental-3.0.3?
The short user answer: Just forget about minimal. Forget about experimental (that was dropped).

Technical answer: In Whonix 12, we’ll build Whonix always with flavor “minimal” and “no-recommends”.

Glad you're making GNOME templates
The short user answer: Sorry to disappoint you. Those are discouraged by me. Those are not mentioned in documentation anymore. Those will no longer be produced with Whonix 12.

Technical reason: more images cause more maintenance effort. And we don’t have anyone [capable of] spending sufficient time on those. Need to support in place upgrades, test them for leaks before release etc. See also https://www.whonix.org/wiki/Other_Desktop_Environments. The plan is doing one thing, jessie only, “minimal” flavor [means not really “minimal”], KDE only, and doing that well.

Still not sure what went wrong with the upgrade, but have a feeling it might be a result of me cutting what I thought were non-essential packages. I mostly went with ones like kwrite, kmixer, and thunderbird, but I think this removed some dependencies that were useful on their own during apt autoremove.
See also: Whonix Debian Packages, which ones are safe to remove? https://www.whonix.org/wiki/Whonix_Debian_Packages

More answers to come.

No idea about pond building. Please open a ticket. Possibly attach a Debian successful and Whonix failed build log at phabricator.whonix.org.

1. Dialog will run up CPU to 100% in both workstation and gateway VMs. I thought this daemon was related to wireless networking?
No. This would be worth investigating.
3. Perhaps conversely, I was able to connect to my XMPP hidden service w/ xmpp-client (runs on port 5222 like usual--btw why is there no xmpp related lines in /usr/share/tor/tor-service-defaults?).
No one added them.

There is one for IM reserved. But not in use yet.
SOCKS_PORT_IM=“9103”

Don’t use it though. Use a custom port. (https://www.whonix.org/wiki/Stream_Isolation)

We don’t have a messenger installed by default yet. Ticket:
https://phabricator.whonix.org/T107

Since I use a separate VM for this, I know Tor will default to IsolateAddr, but I'd like to know how I can configure this myself.
The easiest is to use one of the pre defined custom ports ready for use to use. No need to manually add a new one. https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist#L383-L396

(Unless you are using more than provided by default. But no one ever reported running out of custom ports yet.)

In fact, to be totally honest (and let me prefix this by saying Patrick and the Whonix team you've done awesome work and I so much appreciate it) I've found the documentation to be rather unorganized and incomplete.
Help welcome.
5. timesync is not working in gateway 11, but not workstation 11.
Hm? Mistake in that sentence?

Timesync was always broken in Qubes-Whonix until now. Will be fixed in Whonix 12.
(https://phabricator.whonix.org/T384)

If you would like to help testing this and having this fixed in Whonix 11, please refer to this post:
https://www.whonix.org/forum/index.php/topic,1506.msg9411.html#msg9411

But that’s probably different from what you mean is broken. Please elaborate.

orchat seems no different than XMPP using OTR and Tor hidden XMPP server services (which already exists, as I’m sure you’re aware). I guess the idea is just to simplify and foolproof the process to make it more available to Windows and OS X users (where running tor daemon is much more difficult).

On another note, have you tried/ read about Pond? The security model is fantastic and does the best job of hiding metadata I’ve ever seen. It has a GUI, so it would be accessible to novice users.

Let me know if I get this right:

tor-service-defaults-torrc = not used, defaults from Debian Jessie
tor-service-defaults-torrc.anondist = used, defaults from Whonix
tor-service-defaults-torrc.anondist-orig = not used, defaults from Tor Project

Then I would guess the following:

torrc = used, any settings here will overwrite the settings in tor-service-defaults-torrrc.anondist

However, my experience leads me to believe otherwise (see Qubes Google Group post I referenced earlier).

BTW, thanks for the posting the stream isolation article. I was already familiar with the concept, so I read over it quickly earlier and missed all the custom pre-defined ports.

Lastly, where can I make pull requests for the wiki? I found https://github.com/Whonix/whonix-wiki-backup, but this doesn’t seem like the right place.

orchat seems no different than XMPP using OTR and Tor hidden XMPP server services (which already exists, as I'm sure you're aware). I guess the idea is just to simplify and foolproof the process to make it more available to Windows and OS X users (where running tor daemon is much more difficult).
I am sorry, but is there a suggestion?
On another note, have you tried/ read about Pond? The security model is fantastic and does the best job of hiding metadata I've ever seen. It has a GUI, so it would be accessible to novice users.
Yes, related: How to decide which apps come with Whonix? https://www.whonix.org/wiki/Dev/Default_Application_Policy
Let me know if I get this right:

tor-service-defaults-torrc = not used, defaults from Debian Jessie
tor-service-defaults-torrc.anondist = used, defaults from Whonix
tor-service-defaults-torrc.anondist-orig = not used, defaults from Tor Project


No.
tor-service-defaults-torrc is a symlink to tor-service-defaults-torrc.anondist. Comes from Whonix (package: ‘anon-gw-anonymizer-config’).
tor-service-defaults-torrc.anondist-orig comes from the original ‘tor’ package (from deb.torproject.org).

More technical details:
tor-service-defaults-torrc is owned by the original ‘tor’ package. Yet, to implement Whonix - in the absence of https://trac.torproject.org/projects/tor/ticket/1922 - it is required to modify that tor-service-defaults-torrc. [We could also have just put everything into /etc/tor/torrc, but then it would be harder for users to make edits. So we decided to touch /etc/tor/torrc as little as possible so the user won’t run into interactive dpkg conflict resolution dialogs / loose its settings.]

No other package may directly overwrite that file. So Whonix is using the mature config-package-dev’s displace operation to take over that file. So Whonix can update tor-service-defaults-torrc anytime without interfering with changes by the original ‘tor’ package (tor-service-defaults-torrc.anondist-orig).

tor-service-defaults-torrc.anondist-orig is totally of no use other than seeing what the original ‘tor’ package one would look like.

In any case, tor-service-defaults-torrc should only be modified by developer-type like people.

torrc = used, any settings here will overwrite the settings in tor-service-defaults-torrrc.anondist
Yes.

(But non-intuitive for some stuff: https://www.whonix.org/wiki/Tor#Additional_SocksPorts)

Lastly, where can I make pull requests for the wiki? I found https://github.com/Whonix/whonix-wiki-backup, but this doesn't seem like the right place.
Looking forward to that! :)

Indeed that’s the wrong place. We don’t manage contributions through git. Mediawiki / git contributions unfortunately doesn’t play nice together. Has not been developed/matured. For wiki edits, please refer to what is said in the footer.

This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Unless you are very unsure and/or plan big changes and/or controversia wikil changes… In these cases, we can create a copy of that page first which you can use to make “unsafe” edits. And when you’re done, we just merge it back to the original page.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]