sys-whonix dom0 updates failing on Qubes R4.1 with Qubes-Whonix 16

curious_george945 · August 3, 2023, 7:37pm

Ok there is an error in whonix-gw and whonix-ws:

systemcheck --ip-test

[systemcheck] UpdatesProxy IP Leak Test: Qubes’ UpdatesProxy was not reachable.
(curl exit code: [22] - [HTTP page not retrieved. The requested url was not
found or returned another error with the HTTP error code being 404
or above.

Patrick · August 5, 2023, 3:00pm

Please also provide the following log:

In sys-whonix

sudo journalctl --boot --no-pager -u qubes-updates-proxy.service

Patrick · August 5, 2023, 3:21pm

Is this issue still reproducible?

Patrick · August 5, 2023, 3:28pm

Notes:

Please post only debug output to forum threads / tickets you’re personally affected by.
Please do not double post - this causes further confusion on my side and only makes a solution less likely.
Avoid duplication. Post links instead of copy/paste.

curious_george945 · September 2, 2023, 3:18pm

sudo journalctl --boot --no-pager -u qubes-updates-proxy.service

Sep 02 05:40:21 host systemd[1]: Starting Qubes updates proxy (tinyproxy)…
Sep 02 05:40:21 host systemd[1]: Started Qubes updates proxy (tinyproxy).
Sep 02 05:40:22 host tinyproxy-wrapper[835]: Found tinyproxy at /usr/bin/tinyproxy

This issue is still ongoingg, please see:

github.com/QubesOS/qubes-issues

dom0 upgrades through sys-whonix broken - `Cannot retrieve repository metadata (repomd.xml) status code 404`

opened 05:07PM - 03 Aug 23 UTC

closed 07:21PM - 20 Aug 23 UTC

adrelanos

T: bug R: cannot reproduce C: Whonix P: default C: updates affects-4.1 affects-4.2

### Qubes OS release Qubes R4.1 Qubes R4.2 ### Brief summary dom0 upgr…ades through sys-whonix are broken. ### Steps to reproduce Use sys-whonix as UpdateVM for dom0. sudo qubes-dom0-update ### Expected behavior Functional upgrades. ### Actual behavior Error message. > Cannot retrieve repository metadata (repomd.xml) status code 404 ### Additional information Was reported in the forums: https://forums.whonix.org/t/sys-whonix-onionized-dom0-update-fail-on-qubes-r4-1-with-qubes-whonix-17/16988 Might or might not be related to general Tor unreliablity issues. I didn't experience the bug myself. ### Related * https://github.com/QubesOS/qubes-issues/issues/8388

curious_george945 · September 2, 2023, 5:01pm

Could this be a bug or vulnerability in Tinyproxy?

extraextra · September 2, 2023, 6:34pm

No, that’s not how vulnerabilities work.

Read some example vulnerability report. Random chosen one.

If you can understand it, if you can write such analysis then you can find vulnerabilities. Otherwise you cannot.

curious_george945 · September 2, 2023, 6:42pm

But it could be a software bug, or an error in a configuration file.

extraextra · September 2, 2023, 7:16pm

Could be.

curious_george945 · September 2, 2023, 7:19pm

Which do think is the more likely cause?

extraextra · September 2, 2023, 7:25pm

User errror. And there’s no shame in this. This is difficult stuff.

If it was a software bug then there would be many users affected.

You need to carefully re-read what developers said, information requested and provide it. Otherwise I see no chance for fix.

extraextra · September 2, 2023, 7:26pm

Patrick:

For debugging purposes, please run:
systemcheck --ip-test
In:

anon-whonix

sys-whonix

Whonix-Gateway Template

Whonix-Workstation Template

And post the output here in case there are any warnings or errors. Otherwise please confirm if no warnings or errors are shown.

And then you provided only half of it.

curious_george945 · September 2, 2023, 8:44pm

In sys-whonix:

systemcheck --ip-test:

[INFO] [systemcheck] SocksPort IP Leak Test: Testing Tor’s SocksPort (SOCKS_PORT_SYSTEMCHECK: 9110)…
[INFO] [systemcheck] SocksPort IP Leak Test: Connected to Tor.
[INFO] [systemcheck] system default networking IP Leak Test: system default networking IP Leak Test…
[INFO] [systemcheck] system default networking IP Leak Test Test Result: Ok, Tor’s TransPort was not reachable.
This is expected on Whonix-Gateway’s default configuration.
(curl exit code: [6] - [Couldn’t resolve host. The given remote host was not resolved.])
[INFO] [systemcheck] Stream Isolation Test: Ok, skipped, because TransPort test failed! Can not test stream isolation. This is expected on Whonix-Gateway’s default configuration.
[INFO] [systemcheck] Debian Package Update Check: Checking for software updates via apt-get… ( Documentation: Operating System Software and Updates )
[INFO] [systemcheck] Debian Package Update Check Result: No updates found via apt-get.
[INFO] [systemcheck] Please donate!

Patrick · September 3, 2023, 12:48pm

Did you restore any Whonix App Qubes or Templates from backup?

Are you using the default names for Whonix VMs?

Default VM names for Whonix 16 are:

Tempaltes:
- whonix-gw-16
- whonix-ws-16
App Qubes:
- anon-whonix
- sys-whonix

curious_george945 · September 3, 2023, 7:10pm

sys-whonix is currently a cloned VM, which is named sys-whonix-clone-1.

curious_george945 · September 3, 2023, 7:53pm

After changing the VM names back to the default, there is a new error message being returned:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check:

Failed to restart qubes-whonix-torified-updates-proxy-check.service: Unit qubes-whonix-torified-updates
-proxy-check.service not found

curious_george945 · September 3, 2023, 7:57pm

There is another error message being thrown by the GUI-based updater:

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified
Qubes updates proxy found

At the very top of that file you should have the following:

$tag:whonix-updatevm $default allow,target=sys-whonix

To see if it is fixed, try running in Whonix TemplateVM:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Patrick · September 4, 2023, 10:16am

Renaming VMs isn’t simple. There are at least 2 related Qubes usability issues:

github.com/QubesOS/qubes-issues

Renaming `sys-net` or `sys-whonix` breaks updates without warning due to hardcoded names in default RPC policies

opened 10:04AM - 04 Sep 23 UTC

adrelanos

T: bug P: major ux diagnosed C: updates affects-4.1 affects-4.2

### Qubes OS release R4.2 ### Brief summary After renaming, * `sys-n…et` to `sys-net-customized` or * `sys-whonix` to `sys-whonix-customized-name`, Template upgrades are broken. ### Steps to reproduce 1. rename VMs UpdateVM (sys-net or sys-whonix) to something else 2. try to upgrade a TemplateVM ### Expected behavior Functional upgrades or at least some error message with advice how to fix the issue. ### Actual behavior Broken upgrades. ### Additional Maybe there should be an error popup (or something): * "Attempted to use non-existent UpdatesProxy sys-net." * "Attempted to use non-existent UpdatesProxy sys-whonix." "Check your Qubes UpdatesProxy configuration." Still not terribly useful. Hence I will shortly suggest an alternative in a related ticket: * https://github.com/QubesOS/qubes-issues/issues/3412

github.com/QubesOS/qubes-issues

Improve the way the UpdateVM setting is presented to users in qubes-vm-settings

opened 01:33AM - 19 Dec 17 UTC

adrelanos

T: enhancement help wanted C: manager/widget ux P: default

#### Qubes OS version: R4 #### Affected TemplateVMs: dom0 --- ##…# Steps to reproduce the behavior: open `qubes-vm-settings` ### Expected behavior: Should have UpdateVM setting. ### Actual behavior: Does not have UpdateVM setting. ### General notes: Cloning a TempalteVM is a natural step, even an encouraged one. The newly introduced burden in Qubes R4 that one has to edit dom0 configuration after cloning a template is a big usability issue. NetVM being set to `none` for TemplateVMs (especially Whonix TemplateVMs) is very confusing for most users. (User question: "How shall I upgrade without a network connection.") Many users will think this is wrong and will manually set a NetVM. Users who clone their `whonix-gw` / `whonix-ws` will very likely have a clearnet leak, will have them upgrades through clearnet rather than Tor which is clearly unexpected. (#3118) It is very non-obvious and difficult to learn that one has to edit dom0 `/etc/qubes-rpc/policy/qubes.UpdatesProxy`. Therefore I suggest adding to `qubes-vm-settings` an UpdateVM setting below its NetVM setting. I wouldn't call it UpdatesProxy rather than UpdateVM, because UpdateVM makes more sense for users. --- #### Related issues: #3118

To use additional (new or cloned) sys-whonix you would need to do it as per documentation:

Patrick · September 4, 2023, 10:31am

I hope you wrote it without the colon (:) at the end.

I don’t see how renaming Whonix-Gateway (sys-whonix) could cause issues with qubes-whonix-torified-updates-proxy-check.

It’s also saying you should run the command in TemplateVM.

It would be really helpful to add to your post in which VM you run what command.

Some possiblities why this command might fail:

A) you run the command inside a sys-whonix which isn’t based on a Whonix Template
- for example, you created sys-whonix and made the mistake to make it use the debian-12 Template
B) you run the command in a template which has Whonix in name but is actually based on a different operating system
- this could happen by cloning a debian-12 Template and by mistake rename it to a name including Whonix
C) you uninstalled some packages?

Run systemcheck because it would tell you in the first line of its output in what kind of environment (VM name; operating system) it’s running.

systemcheck

[INFO] [systemcheck] sys-whonix | Whonix-Gateway | […]