Question attempting an Ubuntu/Fedora version of Whonix?

First of all thank you for all the effort you put into Whonix. I really like the concept and have been playing around with various things.

To cut to the chase, do you have a step-by-step checklist of how you go from a vanillia version of Debian to a Whonix Gateway and Workstation? I am asking because I would like to see to what extent I could repeat that process starting with Ubuntu. I would give you feedback along the way and, if successful, would be happy to maintain
a personal ppa apt-repository for all the Ubuntu related needs. Of course I also might fail and find the task impossible but perhaps my failure would be helpful knowledge as well. And if successful, I might just take a crack at Fedora as well.

I just sort of view the Whonix concept as something that should transcend solely a KDE version of Debian. That it should be like an apache server where it’s distro-independent and a framework that can be woven into anyone’s distro of choice. (Assuming the distro meets certain basic criteria) So if I could take the process of “Whonix’ing” a couple different distros from scratch I feel perhaps I could help make the Whonix a portable framework.

Or if you think what I just said is insane let me know and I will leave you alone. But even if that is the case, again I would like to thank you for your efforts.

PS. Correct me if I am wrong, but it seems like the build steps may be in these scripts:

https://github.com/Whonix/Whonix/tree/master/build-steps.d

Certainly possible.

Very long ago, Whonix was based on Ubuntu.

And there has been an unreleased port to Ubuntu.

Workspace_1_001.png1024×768 588 KB

Nothing essential is inherently hardcoded to any platform. (
Technical Introduction )

There conceptually cannot be a complete step-by-step checklist. There
could be one in a snapshot at time of writing, but creating such a list
would require already the lion share of time for actually completing the
port.

Pick any package.

For example.

It’s makefile is generic. Porting for / packaging any of Whonix’s
packages for any platform such as Fedora should just be the same process
usual would be required. Any packager of a different problem should have
a relativity simple time because Whonix’s packages are simple.

By porting genmkfile for let’s say for example to Fedora, you would port
all Whonix packages to Fedora.

Porting to other Debian derivatives would be simpler than porting to
non-Debian derived distributions.

Ubuntu is not so attractive for ports, because it has trademark and
privacy issues. ( Security-Focused Operating System Comparison as Base for Whonix )

PS. Correct me if I am wrong, but it seems like the build steps may be in these scripts:

https://github.com/Whonix/Whonix/tree/master/build-steps.d

Yes.

Okay, a few updates (with the last being more important):

1. If I checkout the latest stable git tag then:

   sudo ./build-steps.d/1100_prepare-build-machine --target root --arch amd64

   runs just fine on ubuntu 15.10.

2. Also:

   sudo -E ./build-steps.d/1200_create-debian-packages --target root --build --internalrun --arch amd64

   works out of the box if I ignore all the lintian warnings of ubuntu not matching the unstable distro in the debian changelog file.

3. However:

`sudo ./packages/whonix-developer-meta-files/debug-steps/locally-upgrade-whonix-debian-packages --target root --flavor whonix-gateway --build --arch amd64`

fails miserably from package dependancies not existing in ubuntu 15.10 (or being renamed) and it seems hardcoded to only apt-get from ubuntu precise repos. (And 15.10 is wily not precise)

4. Lastly, I am now going to slowly go through the packages one by one and upload to this new ubuntu ppa. I have already got a couple uploaded. With any luck this ppa will populate with all the packages over the next several days. If there is a preferred order that I should upload let me know.

Thanks again for the advice. I will get this working with 15.10, then 14.04 LTS then the upcoming 16.04 LTS and then start to think about fedora.

PS. I have installed the whonixcheck and whonixsetup files I created. whonixsetup runs and says tor starting is a success. However, whonixcheck fails with “tor.pid does not exist”. This link suggests I need to change an interface file. However, is one of these subpackages supposed to do that? If so, which one? Perhaps I need to add that to the whonixcheck depends list? If not, then should I write a bash script that does this and add it to a package? Let me know what you think or if I am doing something wrong.

Great stuff!

That link applies only to users updating from Whonix 11 to Whonix 12. Only. For newly downloaded [or here: build] images this does not apply. The package responsible for setting this up is whonix-gw-network-conf or whonix-ws-network-conf package.

Anyhow. Make sure /etc/network/interfaces looks like this.

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

When build by the Whonix build script, it will look that way. I am not sure it’s the Debian and/or grml-debootstrap default.

What you might have in mind is installation of Whonix from a repository. I.e. installation from an apt repository. Right? This is a nice idea, but currently not fully ready. You could finish developing this perhaps, though. More info:
Whonix Installation from Whonix APT Repository

I don’t think whonixcheck needs any further dependencies. What whonixcheck needs is a test, if the network interfaces are correctly configured. It’s on my todo list for Whonix 13. So no Tor pid is in many cases just a follow up error of if not both network interfaces came up as expected. Check sudo ifconfig. Then compare with existing Whonix. Or post it here for me to compare.

Also always good to check.

sudo systemctl list-units

(whonixcheck should also test for that in Whonix 13.)

Alright, a few more updates:

1. All 117 packages that I believe can be built were successfully built and are available on the ppa. Given the large number of packages and my lack of technical knowledge about Whonix, I can’t vouch for the integrity other than at least all the packages in the github repository build successfully on 15.10.

2. These packages needed ruby-ronn added as a build dependency: timesync, whonix-base-files, xchat-improved-privacy, sdwdate-gui, tb-starter and whonix-repository. There was an issue with the man pages being generated without this extra build dependency. The addition of this build dependency is reflected in the changelog.

3. I appreciate you alerting me to this:

   Whonix Installation from Whonix APT Repository

   This was a goal I was hoping to think about long term. Perhaps as I relook at these packages I built one by one and learn how exactly they work I can find a way to make this is a reality. We will see.

Well once again I can’t vouch for the integrity, but at least the packages are now built for ubuntu 15.10 and are free for people to test out from this ppa. Let me know if you find issues.

Jsmidt:

2. These packages needed ruby-ronn added as a build dependency:
   timesync, whonix-base-files, xchat-improved-privacy, sdwdate-gui,
   tb-starter and whonix-repository. The addition of this build
   dependency is reflected in the changelog.

The changelog… Hm. So did you change the code and commit to git then?
I am asking, because then I could fetch and merge your changes.

Alternatively for such general issues and small changes I can also
commit it to git myself.

3. I appreciate you alerting me to this:

Whonix Installation from Whonix APT Repository

This was a goal I was hoping to think about long term.

Very much worthwhile. Good goal for Whonix 13.

Most problematic currently is the following chroot script.

Whonix ™ Source Code Introduction

Any idea how this could be implemented as part of a normal package?

Now I got the idea. Perhaps I just need to write a systemd service that
runs all the chroot scripts after boot. Perhaps not hard.

Perhaps as I
relook at these packages I built one by one and learn how exactly
they work I can find a way to make this is a reality. We will see.

Will perhaps take less time than you may think, because always same
makefile, some packages consist of very few small files.

Well once again I can’t vouch for the integrity, but at least the
packages are now built for ubuntu 15.10 and are free for people to
test out from this ppa. Let me know if you find issues.

I don’t think I will be able to make time to test any Ubuntu packages.

If you want official Whonix Ubuntu / etc. support, you would have to
become the maintainer for that use case. (
Contribute to Whonix ) Essentially, you
would be responsible for it, and I would be redirecting any support
requests about it to the - to be later created - support sub forum / you.

If you want more exposure of this effort, you can write a blog post at
Whonix blog. Ubuntu support has been requested every now and then, so I
guess there could be some interest.

Would be interesting to know if you are able to run ‘sudo apt-get
install whonix-gateway’ or whonix-workstation. Then see if/where it
breaks. Have a VM snapshot. Likely need to run this several times.

Alright, time for some updates. The good news is using apt-get to install whonix-workstation basically works after some tweeks. The bad news is it still isn’t perfect and whonix-gateway still has some work. But progress. Here is the longer version:

1. When I went to do sudo apt-get install whonix-workstation and sudo apt-get install whonix-gateway I got these dependency issues with the first and these with the second.

   To fix these, I had to shift the conflict with resolvconf from the dns packages to whonix-workstation andwhonix-gateway. I also had to remove the kde dependencies that do not exist in ubuntu. I know this is not ideal, but it got the packages to work as a first pass and the changes have been uploaded to the ubuntu ppa so they will work for everyone else.

2. As these screenshots show, sudo apt-get install whonix-workstation basically works. See the images and titles for extra commentary. If I just do the apt-get command, change to an internal connection and update the network files as the whonix documentation for ubuntu suggests I get a working tor browser that passes tests. (I am running this through a debian whonix-gateway that works) Whonixcheck gives some warnings and even worse I can’t get things to reboot, but the initial connectivity is there.

   Given this experience, I am going to attempt to make a whonix-ubuntu-workstation package that just installs the minimal stuff. I am hoping if I only install the basics to get whonixcheck to pass that whatever is preventing reboot will be avoided.

3. Unfortunately, sudo apt-get install whonix-workstation still needs work. As these images show, the initial command seems to work and presents you with the desktop you would expect. Also, running the restart-tor application I get output that suggests tor is working. However, whonixcheck and timesync fail with errors and I was not able to connect with it with a debian whonix-workstation. I hoped rebooting would help but it also failed to reboot.

So all in all I see this as progress. Like I said, I hope to create a whonix-ubuntu-workstation package that is minimal yet works. Let me know if you know what are the minimal packages that one must install to pass whonixcheck.

Now to some of your questions:

So did you change the code and commit to git then? I am asking, because then I could fetch and merge your changes.

So my goal was to get everything working then submit pull-requests. That way you know the final pull-requests do the right thing.

Any idea how this could be implemented as part of a normal package? Now I got the idea. Perhaps I just need to write a systemd service that runs all the chroot scripts after boot. Perhaps not hard.

To be honest I am not sure what to do at this stage. Maybe as I learn more something will come to me, but if you have an idea I would love to try it.

I don’t think I will be able to make time to test any Ubuntu packages.

I understand. However, if I can get the minimal ubuntu-desktop working I would like to call for testers if that is okay. Thanks again.

Okay. Works either way. Although smaller pull requests fixing the general small issues (such as the missing ruby-ronn build dependencies) would be better to keep the diff simpler. Anyhow.

For now, a quick and dirty solution, try running these after installing the packages. Might do.

  ## Check which chroot scripts we got.
  $CHROOT run-parts --verbose --test "/usr/lib/anon-dist/chroot-scripts-post.d/"

  ## Run the chroot scripts.
  $CHROOT run-parts --verbose --exit-on-error "/usr/lib/anon-dist/chroot-scripts-post.d/"

More answers coming.

(If the run-parts script does not run all the scripts, just run as many of them manually one by one. Perhaps they require minor changes and ultimately we try to abolish them for Whonix 13 one way or another.)

The dependency issues might happen, because not all packages that are usually created by GitHub - Whonix/anon-meta-packages are build.

Are whonix-workstation-packages-dependencies-pre, anon-workstation-packages-recommended, etc. actually build, uploaded, available and installable from your repository (ppa)?

The whonixcheck Whonix News result shows outdated, because the build version file /var/lib/anon-dist/build_version does not exist. (It would usually be created by https://github.com/Whonix/anon-shared-build-log-build-version.)

More answers later.

The boot might fail because any of these grub configuration packages. See the following search query:

Whonix · GitHub

Either omit installing these packages. Or rm the config files they are shipping. Then run sudo update-grub(or however Ubuntu is doing that). Running the latter manually may be wise either way - to see if there are any errors. Besides that, I wouldn’t know what could break booting.

There isn’t a list of packages that must be installed to make whonixcheck pass. I guess when the chroot scripts thing is sorted out, it might just work. Otherwise whonixcheck should rather be modified to cover these cases. Let’s not be hostages of whonixcheck.

Perhaps whonix-initializer might break things. Perhaps the whonix-initializer cleanup chroot script should be omitted, because it supposes to be run within a chroot. Not within a running system.