Qubes ticket:
opened 07:17AM - 30 Mar 18 UTC
closed 03:37PM - 15 Jul 18 UTC
P: major
T: task
C: mgmt
C: Whonix
I am not sure it was a good idea to go for versioned (suffixing `-14`) Whonix te… mplate names.
* We now have the issue that [salt uses](https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/anon-whonix.sls) non-versioned hardcoded values.
* However, [instructions for testing newly built Qubes-Whonix 14 templates] need to refer to the versioned template names.
* Qubes-Whonix manual setup got to complicated that we now advice users to use salt for it. (#3447) So telling users to do that manually is not an option either.
Perhaps we should revert this for the next template release and go back to non-versioned template names? Do you see a better solution for this?
Available for Qubes current-testing
.
1 Like
Please first Operating System Software and Updates - Kicksecure as usual since many fixes are in the repository such as Tor Browser in DispVM preinstallation.
This one every tester might like to test.
Installs ‘anon-whonix’ AppVM.
sudo qubesctl state.sls qvm.anon-whonix
This one every tester might like to test.
Installs ‘whonix-ws-dvm’ AppVM as a base for Disposable VMs.
sudo qubesctl state.sls qvm.whonix-ws-dvm
This depends on your personal preference.
Setup UpdatesProxy to always use sys-whonix all TemplateVMs are upgraded over Tor.
sudo qubesctl state.sls qvm.updates-via-whonix
( Dev/Qubes - Whonix )
1 Like
awokd
July 25, 2018, 7:12am
#4
Updated to latest testing and sudo qubesctl state.sls qvm.anon-whonix
and sudo qubesctl state.sls qvm.whonix-ws-dvm
work now.
sudo qubesctl state.sls qvm.updates-via-whonix
is still glitchy. For example, if the first line of qubes.UpdatesProxy
is $type:TemplateVM $default allow,target=sys-net
, running the Salt command results in it prepending $type:TemplateVM $default allow,target=sys-whonix
to the file. It’s first match so technically will work, but not very clean.
Is there also a Salt command to update sys-whonix to 14, or does that just need a template change to whonix-gw-14?
awokd
July 25, 2018, 7:50am
#6
Can Salt search for the first (not commented out) $type:TemplateVM $default allow,target=
in the file, then update it instead? Not really sure of its capabilities.
I confirmed qubesctl state.sls qvm.anon-whonix
will create a sys-whonix with the -14 template if it does not already exist, but not update it to -14 if it does. Guess this would be difficult to automate because it would have to search out everything set to use the old sys-whonix and temporarily disable it before it could update to new.
I guess so. Could you open a qubes-issue please?
What about salt commenting out the offending ones rather then keeping them?
awokd:
I confirmed qubesctl state.sls qvm.anon-whonix
will create a sys-whonix with the -14 template if it does not already exist, but not update it to -14 if it does. Guess this would be difficult to automate because it would have to search out everything set to use the old sys-whonix and temporarily disable it before it could update to new.
You mean this one…?
opened 03:01PM - 03 Aug 18 UTC
T: enhancement
C: mgmt
C: Whonix
### Qubes OS version: R3.2 and R4.0
<!-- (e.g., `R3.2`)
You can get it fr… om the dom0 terminal with the command
`cat /etc/qubes-release`
Type below this line. -->
### Affected component(s): Whonix
---
### Steps to reproduce the behavior:
<!-- Use single backticks (`) for in-line code snippets and
triple backticks (```) for code blocks.
Type below this line. -->
When `sudo qubesctl state.sls qvm.anon-whonix` is executed as [instructed by Whonix wiki](https://whonix.org/wiki/Qubes/Install/Testing) while `sys-whonix` VM already exists, the existing `sys-whonix` VM will remain unchanged.
### Expected behavior:
User should be informed that the `sys-whonix` VM is not created as expected because it already exists.
### Actual behavior:
User is not informed that they are still using the old `sys-whonix` VM.
### General notes:
The current workaround is to delete the existing `sys-whonix` and then executed the command again.
Whonix Wiki has also been updated to [address the issue](https://www.whonix.org/wiki/Qubes/Install/Testing#Remove_Old_Versions), but this solution is not very [satisfying](https://forums.whonix.org/t/qubes-whonix-14-0-0-7-9-templatevms-for-r3-2-and-r4-testers-wanted/5529/17).
The `anon-whonix` may be affected by this problem as well.
Added Whonix settings to Qubes base file versions:
QubesOS:master
← adrelanos:patch-8
opened 05:33PM - 07 Aug 18 UTC
For better leak-proofness.
So we don't have to set this using salt.
* http… s://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/template-whonix-ws.sls#L31
* https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/template-whonix-gw.sls#L31
related:
https://github.com/QubesOS/qubes-issues/issues/3994
QubesOS:master
← adrelanos:patch-7
opened 04:29PM - 07 Aug 18 UTC
Why do we set that using salt?
Simpler and more robust to just set it here.
…
https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/template-whonix-ws.sls#L43
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
$tag:anon-vm $anyvm deny
$anyvm $anyvm allow,target=dom0
1 Like