Whonix 14 / Qubes 3.2 Testing Thread

Patrick · December 19, 2017, 1:41am

add UpdateVM setting to qubes-vm-settings

opened 01:33AM - 19 Dec 17 UTC

closed 02:26PM - 12 Jan 23 UTC

T: bug C: manager/widget ux

#### Qubes OS version: R4 #### Affected TemplateVMs: dom0 --- ##…# Steps to reproduce the behavior: open `qubes-vm-settings` ### Expected behavior: Should have UpdateVM setting. ### Actual behavior: Does not have UpdateVM setting. ### General notes: Cloning a TempalteVM is a natural step, even an encouraged one. The newly introduced burden in Qubes R4 that one has to edit dom0 configuration after cloning a template is a big usability issue. NetVM being set to `none` for TemplateVMs (especially Whonix TemplateVMs) is very confusing for most users. (User question: "How shall I upgrade without a network connection.") Many users will think this is wrong and will manually set a NetVM. Users who clone their `whonix-gw` / `whonix-ws` will very likely have a clearnet leak, will have them upgrades through clearnet rather than Tor which is clearly unexpected. (#3118) It is very non-obvious and difficult to learn that one has to edit dom0 `/etc/qubes-rpc/policy/qubes.UpdatesProxy`. Therefore I suggest adding to `qubes-vm-settings` an UpdateVM setting below its NetVM setting. I wouldn't call it UpdatesProxy rather than UpdateVM, because UpdateVM makes more sense for users. --- #### Related issues: #3118

iry · December 19, 2017, 1:47am

Hi @entr0py !

I would like to confirm if you are proposing a potentially useful GUI application called Whonix Update Manager which will work in dom0 for Qubes 4 and/or later?

I can definitely look into the problem but could you and @Patrick share some insights on these two questions first:

Can this problem be solved alternatively than using a GUI application nicely?
How long will this GUI application be useful aproximately?

Thank you so much!

Patrick · December 19, 2017, 1:55am

github.com/QubesOS/qubes-issues

UpdateVM for templates always defaults to sys-net

opened 07:53AM - 24 Sep 17 UTC

cendragon

help wanted C: doc T: task r4.0-dom0-stable

#### Qubes OS version (e.g., `R3.2`): R4.0rc1 Testing #### Affected TemplateVM…s (e.g., `fedora-23`, if applicable): Whonix, maybe others --- ### Expected behavior: Be able to select a different UpdateVM to update a template. For example, a whonix gateway to ensure updates run over tor. ### Actual behavior: Template vm defaults to using sys-net. Could potentially leak info on the template vm ### Steps to reproduce the behavior: ### General notes: This setting is irrespective of the global UpdateVM set in Dom0-Qubes Global Settings as well as the NetVM of the Template VM. The setting is set in` /etc/qubes-rpc/policy/qubes.UpdateProxy`: > $type:TemplateVM $default allow,target=sys-net I believe I have pieced together how the update proxy works in 4.0: - The proxy for apt and yum is set to localhost:8082. - This is redirected through systemctl units `qubes-updates-proxy-forwarder.socket` and `qubes-updates-proxy-forwarder@.service` to qrexec - Dom0 uses the above policy to redirect to sys-net - Sys-net includes a tinyproxy listening on localhost:8082 - The Template VM does not (and should not) have a netvm Also note that this only one problem with getting whonix templates to update in 4.0. There are are some changes that I will detail on the whonix site and link here --- #### Related issues:

Patrick · December 19, 2017, 1:58am

It’s not clear to me users would notice there is a Qubes-Whonix Update GUI so we could still have this issue, even if an Qubes-Whonix Update GUI could make it easier to change the settings.

Would my suggestions

add UpdateVM setting to qubes-vm-settings · Issue #3412 · QubesOS/qubes-issues · GitHub
UpdateVM for templates always defaults to sys-net · Issue #3118 · QubesOS/qubes-issues · GitHub

be solve this and avoid a Qubes-Whonix Update GUI? Or are these just complementary?

entr0py · December 19, 2017, 4:04am

@iry Thanks for checking in. I think @Patrick’s ideas would address my usability concerns and at the same time, be more consistent with the Qubes’ UX. We should save your talents for more important projects.

BTW, can anon-connection-wizard configure apt.sources to only use onion repos or clearnet repos? What’s the point of using onion repos if we’re downloading clearnet versions anyway? other than redundancy?

Patrick · December 19, 2017, 10:32am

entr0py:

@iry Thanks for checking in. I think @Patrick’s ideas would address my usability concerns and at the same time, be more consistent with the Qubes’ UX. We should save your talents for more important projects.

Great!

BTW, can anon-connection-wizard configure apt.sources to only use onion repos or clearnet repos?

No, that’s not the right tool for it. anon-connection-wizard is more
like tor-connection-wizard (did you ask about the name change @iry?) so
no unrelated features should be mixed into it.

What’s the point of using onion repos if we’re downloading clearnet versions anyway? other than redundancy?

It’s a big change. With Whonix 14 we’re doing a big scale test if these
are working stable. If it is working stable, it will be onion only for
Whonix 15.

iry · December 20, 2017, 1:17am

Hi @entr0py !

Patrick’s answer to this question is exactly what I thought. anon-connection-wizard should be (only) in charge of connecting to the Tor network.

Yes. Here is the ticket: Apply Tor trademark for anon-connection-wizard (#23632) · Issues · Legacy / Trac · GitLab
No response received, though.

Patrick · February 21, 2018, 9:38pm

qubes-template-whonix-*

Might not work? Try qubes-template-whonix-gw.

Could you try please…?

sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable qubes-template-whonix-gw

sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable qubes-template-whonix-ws

And if it doesn’t work create a ticket at
Issues · QubesOS/qubes-issues · GitHub?

BubonicChronicWhonix · February 28, 2018, 4:14am

I have several applications that had been failing to start in Whonix 14. Unsetting environmental variable XDG_CONFIG_DIRS seems to fix most of them.

TorMessenger is one such application.

CoyIM may have been another.

I am testing several communications applications in Qubes 3.2/Whonix 14. Including RetroShare, CoyIM, Ricochet, Riot.im, CoyIM, TorMessenger, etc etc

Several of these would not start, and I noticed that some were throwing segmentation fault errors. So, I found the posts about torbrowser crashing, and was able to apply the same advice.

I assume there are no security risks with unsetting this variable? It will just default to some order of searching config directories?

Any idea what is causing the crash? Directories listed that do not exist perhaps?

Patrick · February 28, 2018, 1:07pm

Environment variables will be fixed after installing upgrades (just now
uploaded) as well as reboot.

BubonicChronicWhonix · February 28, 2018, 8:14pm

To development?

I am on testers, and just upgraded (several whonix packages including whonixcheck and whonix-legacy), but after rebooting all of Qubes, I am still Seg Faulting.

I still need to unset the variable in order to run.

user@host:~$ riot-web 
Segmentation fault
user@host:~$ unset XDG_CONFIG_DIRS && riot-web 
Starting auto update with base URL: https://riot.im/download/desktop/update/
Auto update not supported on this platform

Patrick · February 28, 2018, 9:11pm

Whonix 14?

Upgraded from stretch repository? developers, testers and
proposed-updates also but I don’t want users on developers.

Got whonix-legacy 4.2-1? Check:

dpkg -l | grep whonix-legacy

Your /var/lib/dpkg/info/whonix-legacy.preinst should look like this:

https://github.com/Whonix/whonix-legacy/blob/master/debian/whonix-legacy.preinst

Most important is this part:

https://github.com/Whonix/whonix-legacy/blob/master/debian/whonix-legacy.preinst#L402-L412

Is there file
/var/lib/whonix/do_once/thirteen_dot_x_to_fourteen_dot_x_version_5 or
similar?

Qubes reboot not required for sure btw. Only VM reboot required.

BubonicChronicWhonix · February 28, 2018, 9:58pm

Yes, of course.

Yes, I am on Stretch-Testers.

ii  whonix-legacy                                  3:4.2-1                                                   all          Prepare older Build Versions of Whonix for Upgrade

It does.

Got that.

Not in that location. That directory has only one file:

bind-dirs-legacy-function-version-1

rebooting Template and TemplateBassedAppVM didn’t correct issue, so I rebooted the entire machine.

This is a clean install of Whonix 14 from Qubes Repo, not an upgraded of Whonix 13. FWIW

Patrick · March 5, 2018, 8:57pm

Thanks! Good report, that helps a lot.

I think I sorted this.

Upgraded whonix-legacy package should be uploaded soon. When that happens, please upgrade. Then shutdown all Whonix VMs. Then restart the TemplateBasedVMs. (The usual process to make ṕackage upgrades take effect in TemplateBasedVMs.) Should be fixed by then.

BubonicChronicWhonix · March 6, 2018, 1:21am

To the Whonix-Testers repo? Or should I grab it from github?

I haven’t seen it in APT yet.

BubonicChronicWhonix · March 6, 2018, 7:54am

received a whonix-legacy update (4.3 I believe?) in my gateway, but not my workstation

actually, I just checked, and I have 4.3-1 installed in Workstation as well.

But still cannot open some applications without unsetting variable.

Patrick · March 6, 2018, 2:40pm

Please run and post the output of the latter command here.

sudo apt-get update
sudo DEBDEBUG=1 apt-get install --reinstall whonix-legacy

BubonicChronicWhonix · March 6, 2018, 9:22pm

0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.                                               
Need to get 17.6 kB of archives.                                                                                            
After this operation, 0 B of additional disk space will be used.                                                            
Get:1 http://deb.whonix.org stretch-testers/main amd64 whonix-legacy all 3:4.3-1 [17.6 kB]                                  
Fetched 17.6 kB in 4s (4,014 B/s)                                                                                           
(Reading database ... 156965 files and directories currently installed.)                                                    
Preparing to unpack .../whonix-legacy_3%3a4.3-1_all.deb ...                                                                 
+++ type -t errorhandlergeneral                                                                                             
++ '[' '' = function ']'                                                                                                    
++ trap error_handler_pre ERR                                                                                               
++ bash -n /usr/lib/pre.bsh                                                                                                 
++ bash -n /var/lib/dpkg/tmp.ci/preinst                                                                                     
++ own_filename=preinst                                                                                                     
++ unset skip_script                                                                                                        
+ set -e                                                                                                                    
+ true '                                                                                                                    
#####################################################################                                                       
## INFO: BEGIN: whonix-legacy preinst upgrade' 3:4.3-1 '3:4.3-1                                                             
#####################################################################                                                       
'                                                                                                                           
+ true '1: upgrade'                                                                                                         
+ true '2: 3:4.3-1'                                                                                                         
+ true 'INFO: Configuring whonix-legacy...'
+ get_build_version
+ whonix_build_version='Could not read Whonix Build Version File. (Code: 3) Please report this bug!'
+ local build_version_file
+ '[' -f /usr/share/whonix/build_version ']'
+ '[' -f /var/lib/anon-dist/build_version ']'
+ build_version_file=/var/lib/anon-dist/build_version
+ '[' /var/lib/anon-dist/build_version = '' ']'
+ '[' -f /var/lib/anon-dist/build_version ']'
++ cat /var/lib/anon-dist/build_version
+ whonix_build_version=3:2.4-1
+ '[' 3:2.4-1 = '' ']'
+ true 'whonix_build_version: 3:2.4-1'
+ command -v qubesdb-read
+ dpkg --compare-versions 3:2.4-1 le 3:2.5-1
+ thirteen_dot_x_to_fourteen_dot_x
+ '[' -f /var/lib/whonix/do_once/thirteen_dot_x_to_fourteen_dot_x_version_5 ']'
+ return 0
+ true 'INFO: End configuring whonix-legacy.'
+ true 'INFO: debhelper beginning here.'
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END  : whonix-legacy preinst upgrade' 3:4.3-1 '3:4.3-1
#####################################################################
'
+ exit 0
Unpacking whonix-legacy (3:4.3-1) over (3:4.3-1) ...
Setting up whonix-legacy (3:4.3-1) ...

Patrick · March 6, 2018, 11:19pm

What is in Whonix-Workstation the output of…?

env | grep XDG_CONFIG_DIRS

This…?

XDG_CONFIG_DIRS=/usr/share/torbrowser-default-browser/:/usr/share/security-misc/:/usr/share/kde-apper-no-autoupdate/:/usr/share/anon-ws-kde-startmenu/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg

BubonicChronicWhonix · March 6, 2018, 11:46pm

XDG_CONFIG_DIRS=/usr/share/torbrowser-default-browser/:/usr/share/security-misc/:/usr/share/kde-apper-no-autoupdate/:/usr/share/anon-ws-kde-startmenu/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg