Qubes-Whonix 14 SaltStack state files - Testers Wanted!

Patrick · June 13, 2018, 7:23am

Qubes ticket:

github.com/QubesOS/qubes-issues

Qubes-Whonix 14 SaltStack state files required

opened 07:17AM - 30 Mar 18 UTC

closed 03:37PM - 15 Jul 18 UTC

adrelanos

P: major T: task C: mgmt C: Whonix

I am not sure it was a good idea to go for versioned (suffixing `-14`) Whonix te…mplate names. * We now have the issue that [salt uses](https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/anon-whonix.sls) non-versioned hardcoded values. * However, [instructions for testing newly built Qubes-Whonix 14 templates] need to refer to the versioned template names. * Qubes-Whonix manual setup got to complicated that we now advice users to use salt for it. (#3447) So telling users to do that manually is not an option either. Perhaps we should revert this for the next template release and go back to non-versioned template names? Do you see a better solution for this?

Available for Qubes current-testing.

Patrick · June 14, 2018, 7:45am

Please first Operating System Software and Updates as usual since many fixes are in the repository such as Tor Browser in DispVM preinstallation.

This one every tester might like to test.

Installs ‘anon-whonix’ AppVM.

sudo qubesctl state.sls qvm.anon-whonix

This one every tester might like to test.

Installs ‘whonix-ws-dvm’ AppVM as a base for Disposable VMs.

sudo qubesctl state.sls qvm.whonix-ws-dvm

This depends on your personal preference.

Setup UpdatesProxy to always use sys-whonix all TemplateVMs are upgraded over Tor.

sudo qubesctl state.sls qvm.updates-via-whonix

( Dev/Qubes - Whonix )

Patrick · July 15, 2018, 3:37pm

github.com/QubesOS/qubes-issues

Qubes-Whonix salt failing - sudo qubesctl state.sls qvm.anon-whonix dom0

opened 03:33PM - 15 Jul 18 UTC

closed 07:32PM - 15 Jul 18 UTC

adrelanos

T: bug C: mgmt C: Whonix

### Qubes OS version: R4 ### Affected component(s): Qubes-Whonix ### Step…s to reproduce the behavior: sudo qubesctl state.sls qvm.anon-whonix dom0 ### Expected behavior: Functional, anon-whonix created, no error messages. ### Actual behavior: ``` [WARNING ] /var/cache/salt/minion/extmods/states/ext_state_qvm.py:142: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6 status = Status(retcode=1, result=False, stderr=err.message + '\n') [ERROR ] ====== ['present'] ====== [TEST] /usr/bin/qvm-create sys-whonix --class=AppVM --template=whonix-gw-14 --label=black --property=memory=500 ====== ['prefs'] ====== Virtual Machine does not exist! [0;31mlocal:[0;0m [0;32m----------[0;0m [0;32m ID: template-whonix-ws-14[0;0m [0;32mFunction: pkg.installed[0;0m [0;32m Name: qubes-template-whonix-ws-14[0;0m [0;32m Result: True[0;0m [0;32m Comment: Package qubes-template-whonix-ws-14 is already installed[0;0m [0;32m Started: 17:18:42.784996[0;0m [0;32mDuration: 1189.348 ms[0;0m [0;32m Changes: [0;0m [0;1;33m----------[0;0m [0;1;33m ID: whonix-ws-tag[0;0m [0;1;33mFunction: qvm.vm[0;0m [0;1;33m Name: whonix-ws-14[0;0m [0;1;33m Result: None[0;0m [0;1;33m Comment: ====== ['features'] ====== ====== ['tags'] ======[0;0m [0;1;33m Started: 17:18:43.978506[0;0m [0;1;33mDuration: 83.463 ms[0;0m [0;1;33m Changes: [0;36m----------[0;0m [0;36mqvm.features[0;0m: [0;36m----------[0;0m [0;36mqvm.features[0;0m: [0;36m----------[0;0m [0;36mwhonix-ws[0;0m: [0;36m----------[0;0m [0;36mnew[0;0m: [0;32m1[0;0m [0;36mold[0;0m: [0;1;33mNone[0;0m [0;36mqvm.tags[0;0m: [0;36m----------[0;0m [0;36mqvm.tags[0;0m: [0;36m----------[0;0m [0;36mnew[0;0m: [0;32m- created-by-dom0[0;0m [0;32m- whonix-updatevm[0;0m [0;36mold[0;0m: [0;32m- created-by-dom0[0;0m[0;0m [0;1;33m----------[0;0m [0;1;33m ID: whonix-ws-update-policy[0;0m [0;1;33mFunction: file.prepend[0;0m [0;1;33m Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy[0;0m [0;1;33m Result: None[0;0m [0;1;33m Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is set to be updated[0;0m [0;1;33m Started: 17:18:44.070188[0;0m [0;1;33mDuration: 14.671 ms[0;0m [0;1;33m Changes: [0;36m----------[0;0m [0;36mdiff[0;0m: [0;32m--- [0;0m [0;32m+++ [0;0m [0;32m@@ -1,3 +1,5 @@[0;0m [0;32m+$tag:whonix-updatevm $default allow,target=sys-whonix[0;0m [0;32m+$tag:whonix-updatevm $anyvm deny[0;0m [0;32m #$type:TemplateVM $default allow,target=sys-whonix[0;0m [0;32m [0;0m [0;32m [0;0m[0;0m [0;32m----------[0;0m [0;32m ID: whonix-get-date-policy[0;0m [0;32mFunction: file.prepend[0;0m [0;32m Name: /etc/qubes-rpc/policy/qubes.GetDate[0;0m [0;32m Result: True[0;0m [0;32m Comment: File /etc/qubes-rpc/policy/qubes.GetDate is in correct state[0;0m [0;32m Started: 17:18:44.085194[0;0m [0;32mDuration: 4.203 ms[0;0m [0;32m Changes: [0;0m [0;32m----------[0;0m [0;32m ID: template-whonix-gw-14[0;0m [0;32mFunction: pkg.installed[0;0m [0;32m Name: qubes-template-whonix-gw-14[0;0m [0;32m Result: True[0;0m [0;32m Comment: Package qubes-template-whonix-gw-14 is already installed[0;0m [0;32m Started: 17:18:44.089707[0;0m [0;32mDuration: 1.274 ms[0;0m [0;32m Changes: [0;0m [0;1;33m----------[0;0m [0;1;33m ID: whonix-gw-tag[0;0m [0;1;33mFunction: qvm.vm[0;0m [0;1;33m Name: whonix-gw-14[0;0m [0;1;33m Result: None[0;0m [0;1;33m Comment: ====== ['features'] ====== ====== ['tags'] ======[0;0m [0;1;33m Started: 17:18:44.091298[0;0m [0;1;33mDuration: 85.366 ms[0;0m [0;1;33m Changes: [0;36m----------[0;0m [0;36mqvm.features[0;0m: [0;36m----------[0;0m [0;36mqvm.features[0;0m: [0;36m----------[0;0m [0;36mwhonix-gw[0;0m: [0;36m----------[0;0m [0;36mnew[0;0m: [0;32m1[0;0m [0;36mold[0;0m: [0;1;33mNone[0;0m [0;36mqvm.tags[0;0m: [0;36m----------[0;0m [0;36mqvm.tags[0;0m: [0;36m----------[0;0m [0;36mnew[0;0m: [0;32m- created-by-dom0[0;0m [0;32m- whonix-updatevm[0;0m [0;36mold[0;0m: [0;32m- created-by-dom0[0;0m[0;0m [0;1;33m----------[0;0m [0;1;33m ID: whonix-gw-update-policy[0;0m [0;1;33mFunction: file.prepend[0;0m [0;1;33m Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy[0;0m [0;1;33m Result: None[0;0m [0;1;33m Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is set to be updated[0;0m [0;1;33m Started: 17:18:44.177058[0;0m [0;1;33mDuration: 6.176 ms[0;0m [0;1;33m Changes: [0;36m----------[0;0m [0;36mdiff[0;0m: [0;32m--- [0;0m [0;32m+++ [0;0m [0;32m@@ -1,3 +1,5 @@[0;0m [0;32m+$tag:whonix-updatevm $default allow,target=sys-whonix[0;0m [0;32m+$tag:whonix-updatevm $anyvm deny[0;0m [0;32m #$type:TemplateVM $default allow,target=sys-whonix[0;0m [0;32m [0;0m [0;32m [0;0m[0;0m [0;1;33m----------[0;0m [0;1;33m ID: sys-net[0;0m [0;1;33mFunction: qvm.exists[0;0m [0;1;33m Result: None[0;0m [0;1;33m Comment: /usr/bin/qvm-check sys-net VM sys-net exists None[0;0m [0;1;33m Started: 17:18:44.183552[0;0m [0;1;33mDuration: 615.089 ms[0;0m [0;1;33m Changes: [0;0m [0;1;33m----------[0;0m [0;1;33m ID: sys-firewall[0;0m [0;1;33mFunction: qvm.exists[0;0m [0;1;33m Result: None[0;0m [0;1;33m Comment: /usr/bin/qvm-check sys-firewall VM sys-firewall exists None[0;0m [0;1;33m Started: 17:18:44.799317[0;0m [0;1;33mDuration: 564.042 ms[0;0m [0;1;33m Changes: [0;0m [0;31m----------[0;0m [0;31m ID: sys-whonix[0;0m [0;31mFunction: qvm.vm[0;0m [0;31m Result: False[0;0m [0;31m Comment: ====== ['present'] ====== [TEST] /usr/bin/qvm-create sys-whonix --class=AppVM --template=whonix-gw-14 --label=black --property=memory=500 ====== ['prefs'] ====== Virtual Machine does not exist![0;0m [0;31m Started: 17:18:45.369526[0;0m [0;31mDuration: 1246.814 ms[0;0m [0;31m Changes: [0;0m [0;31m----------[0;0m [0;31m ID: whonix-ws-14-dvm[0;0m [0;31mFunction: qvm.vm[0;0m [0;31m Result: False[0;0m [0;31m Comment: One or more requisite failed: qvm.sys-whonix.sys-whonix[0;0m [0;31m Changes: [0;0m [0;31m----------[0;0m [0;31m ID: qvm-appmenus --update whonix-ws-dvm[0;0m [0;31mFunction: cmd.run[0;0m [0;31m Result: False[0;0m [0;31m Comment: One or more requisite failed: qvm.whonix-ws-dvm.whonix-ws-14-dvm[0;0m [0;31m Changes: [0;0m [0;31m----------[0;0m [0;31m ID: anon-whonix[0;0m [0;31mFunction: qvm.vm[0;0m [0;31m Result: False[0;0m [0;31m Comment: One or more requisite failed: qvm.sys-whonix.sys-whonix, qvm.whonix-ws-dvm.whonix-ws-14-dvm[0;0m [0;31m Changes: [0;0m [0;36m Summary for local ------------[0;0m [0;32mSucceeded: 9[0;0m ([0;1;33munchanged=6[0;0m, [0;32mchanged=4[0;0m) [0;31mFailed: 4[0;0m [0;36m------------ Total states run: 13[0;0m [0;36mTotal run time: 3.810 s[0;0m DOM0 configuration failed, not continuing ``` ### General notes: Running `/usr/bin/qvm-create whonix-ws-14-dvm --class=AppVM --template=whonix-ws-14 --label=red` manually followed by repeating the original command (`sudo qubesctl state.sls qvm.anon-whonix dom0`) and no more failed salt states. --- ### Related issues: https://github.com/QubesOS/qubes-issues/issues/3765 //cc @viq

awokd · July 25, 2018, 7:12am

Updated to latest testing and sudo qubesctl state.sls qvm.anon-whonix and sudo qubesctl state.sls qvm.whonix-ws-dvm work now.

sudo qubesctl state.sls qvm.updates-via-whonix is still glitchy. For example, if the first line of qubes.UpdatesProxy is $type:TemplateVM $default allow,target=sys-net, running the Salt command results in it prepending $type:TemplateVM $default allow,target=sys-whonix to the file. It’s first match so technically will work, but not very clean.

Is there also a Salt command to update sys-whonix to 14, or does that just need a template change to whonix-gw-14?

Patrick · July 25, 2018, 7:29am

What would you suggest?

change Qubes network policy, UpdatesProxy to network disabled by default for better leak-proofness

opened 09:02AM - 14 Jun 18 UTC

adrelanos

T: enhancement C: core P: major privacy C: Whonix

### Qubes OS version: R4 and above ### Affected component(s): dom0, Whonix …### Steps to reproduce the behavior: Set NetVM of anon-whonix to default (sys-net). Then use system default networking `curl.anondist-orig https://check.torproject.org` or otherwise to connect to clearnet. ### Expected behavior: Secure defaults. No clearnet connections possible through small user configuration mistake / oversight. ### Actual behavior: Insecure defaults. Clearnet leak. ### General notes: Qubes UpdatesProxy mechanism currently is more likely to produce a leak in future. A leak as in a user expecting to have connections torified while these are over clearnet. The problem is, that https://github.com/QubesOS/qubes-core-admin/blob/master/qubes-rpc-policy/qubes.UpdatesProxy.policy by default says `$type:TemplateVM $default allow,target=sys-net`. And sys-net traffic isn't torified by default. Therefore, if any of the following goes wrong (salt / tags / qvm-features maybe / qubes-core-admin-addon-whonix), Whonix TemplateVMs might connect through clearnet. Would be better if `qubes.UpdatesProxy.policy` only included `$anyvm $anyvm deny` and then opt-in each and every TemplateVM rather than an opt-out approach. When the user wants torification, the default non-torification setting needs to be overwritten. This is done by salt: * https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/template-whonix-gw.sls - which depends on `tag:whonix-updatevm` * https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/updates-via-whonix.sls And then there is also https://github.com/QubesOS/qubes-core-admin-addon-whonix. The user accidentally setting a whonix-ws based AppVM such as anon-whonix to NetVM default (sys-net) results in `curl.anondist-orig https://check.torproject.org` being able to reach it over clearnet. This is a huge disadvantage over the VirtualBox version of Whonix where such mistakes are very very unlikely to happen. (Because the Whonix-Workstation VirtualBox version of Whonix has only an internal network card (in internal network `whonix`) - which cannot accidentally connect to clearnet.) ---- Qubes-Whonix has code to detect wrongly configured Qubes updates proxy settings and refuses to upgrade but that's just a workaround and more complexity (possible including bugs leading to situations where users cannot upgrade or false-positive warnings). * https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf * https://github.com/Whonix/qubes-whonix/blob/master/usr/lib/qubes-whonix/init/torified-updates-proxy-check * https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-torified-updates-proxy-check.service There's also `whonixcheck --leak-tests`. It's not a real fix, not as strong as a technical guarantee as it could be. ---- It's a complex design and interaction. Hard to fully understand (more so the more time passes). Prone for bugs in future or user mistake. In summary, Qubes default and technical design currently is: network-enabled, clearnet, options to change to network-disabled or torified For better control of connections the technical design should be: non-networked by default and then opt-in networking by using salt / core-admin-addon's.

awokd · July 25, 2018, 7:50am

Can Salt search for the first (not commented out) $type:TemplateVM $default allow,target= in the file, then update it instead? Not really sure of its capabilities.

I confirmed qubesctl state.sls qvm.anon-whonix will create a sys-whonix with the -14 template if it does not already exist, but not update it to -14 if it does. Guess this would be difficult to automate because it would have to search out everything set to use the old sys-whonix and temporarily disable it before it could update to new.

Patrick · August 8, 2018, 9:32am

I guess so. Could you open a qubes-issue please?

What about salt commenting out the offending ones rather then keeping them?

You mean this one…?

github.com/QubesOS/qubes-issues

No error information when salt failed to create a VM due to name collision

opened 03:01PM - 03 Aug 18 UTC

irykoon

T: enhancement C: mgmt C: Whonix P: default

### Qubes OS version: R3.2 and R4.0  ### Affected component(s): Whonix --- ### Steps to reproduce the behavior:  When `sudo qubesctl state.sls qvm.anon-whonix` is executed as [instructed by Whonix wiki](https://whonix.org/wiki/Qubes/Install/Testing) while `sys-whonix` VM already exists, the existing `sys-whonix` VM will remain unchanged. ### Expected behavior: User should be informed that the `sys-whonix` VM is not created as expected because it already exists. ### Actual behavior: User is not informed that they are still using the old `sys-whonix` VM. ### General notes: The current workaround is to delete the existing `sys-whonix` and then executed the command again. Whonix Wiki has also been updated to [address the issue](https://www.whonix.org/wiki/Qubes/Install/Testing#Remove_Old_Versions), but this solution is not very [satisfying](https://forums.whonix.org/t/qubes-whonix-14-0-0-7-9-templatevms-for-r3-2-and-r4-testers-wanted/5529/17). The `anon-whonix` may be affected by this problem as well.

Added Whonix settings to Qubes base file versions:

github.com

QubesOS/qubes-core-admin/blob/master/qubes-rpc-policy/qubes.UpdatesProxy.policy

# Legacy. This file does nothing and will be removed in a future release. See:
# /etc/qubes/policy.d/90-default.policy

github.com

QubesOS/qubes-core-admin/blob/master/qubes-rpc-policy/qubes.GetDate.policy

## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

$tag:anon-vm	$anyvm	deny
$anyvm	$anyvm	allow,target=dom0

Patrick · August 8, 2018, 9:41am