[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Whonix Desktop Installer with Calamares - field report

Just to let you know that I am currently rebuilding from scratch with version 15.0.0.3.3.

1 Like

Good question. :slight_smile: If I remember right, you previously said, that calamares gets confused by user user already being created during live boot. Therefore you manually deleted account user user before creating the iso.

Therefore we concluded that user user should be created during first boot of Whonix rather than during build of Whonix. However, also in live mode user user creation should not be done by Whonix anon-base-files.postinst but by calamares.

I guess what I am asking is, is it possible to make calamares not get confused by an already existing user user account?

What’s the name of that user account? user user? I guess not? Probably live-something? That should not really matter since it does not interfere with anything.

Yes. Ideally that would also be left to anon-base-files.postinst?

Currently for non-live Whonix builds as per git master anon-base-files.postinst creates user user with --no-create-home, uses pam-auth-update --enable mkhomedir, thereby populates the home folder on first login.

Also anon-base-files.postinst locks root account as per Restrict root access for new builds by default so calamares don’t need to ask about root account either.

I don’t know the calamares requirements and how we could design this interaction. Should we support users choosing arbitrary user account names in the installer? Self-chosen passwords right in the installer or enough after they login first?

So the more calamares (except for live-something user in live mode perhaps?) can be configured to stay out, the easier it would be from the Whonix side. Otherwise anon-base-files.postinst user user creation part would have to be converted to a systemd unit file which is more complicated.

I’ve just built a Whonix-Desktop-Calamares-ISO based on 15.0.0.3.3 (sudo -E /home/user/Whonix/whonix_build --build --redistribute --target iso --flavor whonix-host-xfce --freedom false).

By default, the ISO boots in live-mode with user Debian Live user (identified as user).

In my understanding, this behaviour is not caused by Calamares (which is merely the OS install program), but by live-config (see content of /lib/live/config/ directory).

It doesn’t seem that the installer is getting confused by this in any way.

When booting into the newly installed OS (“Whonix-Desktop”), there is no user user available (I created a user with another username).

su user
su: user user does not exist

Debian Live user

I see. As of now, anon-base-files.postint is used during first boot of Whonix-Gateway and Whonix-Workstation, right?

I don’t know yet how to integrate this into Calamares. Maybe we could avoid it altogether in the Whonix-Desktop-ISO build? Is it necessary for the Whonix-Desktop?

As a reminder, this is what currently happens by default on Whonix-Desktop-ISO build 15.0.0.3.3:

all this tested only in KVM VM only, not yet on real hardware

-> boot with ISO in live-mode, with user Debian Live user, identified as user
-> Calamares Installer lets the user choose install configuration: encryption, username, password, same password for root account (=the username has sudo rights) or different password for root account, time zone, keyboard language, etc.
-> after install, when booting on the newly installed Whonix-Desktop (hard disk, no ISO), the only interactive user available is the one created during the Calamares install (as expected). It has a home folder with Desktop Pictures and Downloads directories. I guess its environment is being copied from /etc/skel?
-> there is however a /home/user/ directory, which is empty…

Side note: I have some bugs to report regarding, I’ll do it later, probably tomorrow.

Easy answer first, might have more answers later.

ls -la /home/user

?
Completely empty? Nothing inside?
I will review what might be causing this.

No. anon-base-files.postinst is run during installation of the anon-base-files package which happens during image creation inside chroot at build time.

That is, if you have the anon-base-files package installed. Do you have the anon-base-files package installed?

If you are building Whonix host you will be installing meta package whonix-host-xfce-kvm-freedom / whonix-host-xfce-kvm-nonfreedom so anon-base-files might not be installed. This could be considered a feature, not a bug depending on how we want to design it. Whonix host might need a different but similar package. On the other hand, I guess anon-base-files on Whonix host is a good idea?

No, it is not empty:

root@test-pc:~# tree -a /home/user/
/home/user/
└── .cache
    └── virt-manager
        └── virt-xml.log

and:
cat /home/user/.cache/virt-manager/virt-xml.log

[Mon, 15 Jul 2019 13:04:36 virt-xml 13047] DEBUG (cli:200) Launched with command line: /usr/share/virt-manager/virt-xml Whonix-Gateway --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped
[Mon, 15 Jul 2019 13:04:36 virt-xml 13047] DEBUG (cli:214) Requesting libvirt URI default
[Mon, 15 Jul 2019 13:04:36 virt-xml 13047] DEBUG (cli:217) Received libvirt URI qemu:///system
[Mon, 15 Jul 2019 13:04:36 virt-xml 13047] DEBUG (virt-xml:53) XML diff:
--- Original XML
+++ Altered XML
@@ -96,5 +96,9 @@
       <backend model="random">/dev/urandom</backend>
       <address type="pci" domain="0x0000" bus="0x00" slot="0x07" function="0x0"/>
     </rng>
+    <filesystem type="mount" accessmode="mapped">
+      <source dir="/mnt/gateway-shared"/>
+      <target dir="shared"/>
+    </filesystem>
   </devices>
 </domain>

[Mon, 15 Jul 2019 13:04:36 virt-xml 13048] DEBUG (cli:200) Launched with command line: /usr/share/virt-manager/virt-xml Whonix-Workstation --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped
[Mon, 15 Jul 2019 13:04:36 virt-xml 13048] DEBUG (cli:214) Requesting libvirt URI default
[Mon, 15 Jul 2019 13:04:36 virt-xml 13048] DEBUG (cli:217) Received libvirt URI qemu:///system
[Mon, 15 Jul 2019 13:04:36 virt-xml 13048] DEBUG (virt-xml:53) XML diff:
--- Original XML
+++ Altered XML
@@ -93,5 +93,9 @@
       <backend model="random">/dev/urandom</backend>
       <address type="pci" domain="0x0000" bus="0x00" slot="0x07" function="0x0"/>
     </rng>
+    <filesystem type="mount" accessmode="mapped">
+      <source dir="/mnt/workstation-shared"/>
+      <target dir="shared"/>
+    </filesystem>
   </devices>
 </domain>

It has been copied over from the ISO file, meaning it somehow survived the cleaning phase at build time.

Other observations regarding Whonix-Desktop-Calamares-Installer-ISO-15.0.0.3.3:
All tests done with KVM, not real hardware

Whonix-ISO (=BEFORE install, using the live ISO only)

  1. Theming is not OK
    It uses default debian buster theming:

  2. Trying to use Whonix-VM with virt-manager results in fatal error
    Error starting network 'Whonix-External': Unable to create bridge virbr1: Package not installed
    Same thing for virtual network Whonix-Internal.
    Virtual network ‘default’ fails with
    Error starting network 'default': internal error: Network is already in use by interface ens3

  1. Calamares Installer branding must be changed
    It is now using default debian buster branding. I already have suggestions to change the branding, will post in another thread.

Whonix-Desktop on HDD (=AFTER install, without the live ISO)

  1. Residual files in /home/user/
    As mentioned above:

    root@test-pc:~# tree -a /home/user/
    /home/user/
    └── .cache
    └── virt-manager
    └── virt-xml.log

  2. Newly installed user cannot log in as root or execute a command with sudo rights
    This is probably the worst bug of the list. I have no idea where it comes from. It seemed to work last time I did a full build and test… Didn’t dig further, here are the outputs:

Trying to use sudo with sudo rights always fails with “incorrect password” (although it is correct):

test@test-pc:~$ sudo ls

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for q:    
Sorry, try again.
[sudo] password for q:     
Sorry, try again.
[sudo] password for q:      
sudo: 3 incorrect password attempts

su command always gives a “Permission denied” error…

test@test-pc:~$ su -
Password: 
su: Permission denied

As I said, I didn’t dig further. Any ideas on how to investigate and solve this weird faulty behavior are welcome.

  1. Trying to use Whonix-VM with virt-manager results in fatal error (same error as with ISO)
    Error starting network 'Whonix-External': Unable to create bridge virbr1: Package not installed
    Same thing for virtual network Whonix-Internal.
    Virtual network ‘default’ fails with
    Error starting network 'default': internal error: Network is already in use by interface ens3

  2. There seems to be a problem with clock synchronization (lagging one hour behind).

1 Like

Sure you are not building from git master?
There was work on this:
Restrict root access
These are not yet tested in a new build and might cause some issues.

Does /var/lib/dpkg/info/anon-base-files.postinst contain passwd? To check:

cat /var/lib/dpkg/info/anon-base-files.postinst | grep 

This would mean you build from git master.

passwd
## mkpasswd
passwd --lock “$account_to_be_locked”
#sudo passwd

@onion_knight:

/home/user/.cache/virt-manager/virt-xml.log

Any idea which might be creasing those? @HulaHoop

Also can you help please with these KVM issues? @HulaHoop

https://github.com/Whonix/whonix-initializer/blob/master/usr/lib/anon-dist/chroot-scripts-post.d/80_cleanup does not attempt to clean the home folder yet.

Maybe soon we move to http://blog.dailystuff.nl/2012/07/create-home-directory-on-first-login/ / sudo pam-auth-update --enable mkhomedir. During that I will work on it.

Timezone issue? Sometimes it is a “BIOS” (virtual or real BIOS) vs system clock issue.
Is package timezone-utc installed? I guess we want to go for that?

OK as per the official guide there is a virtinst package needed for creating/cloning VMs via commandline. Please install and let me know if it works.

https://wiki.debian.org/KVM#Installation

1 Like

There is no such file:

ls var/lib/dpkg/info/anon-*
var/lib/dpkg/info/anon-icon-pack.list
var/lib/dpkg/info/anon-icon-pack.md5sums
var/lib/dpkg/info/anon-icon-pack.postinst
var/lib/dpkg/info/anon-icon-pack.postrm

This is all the commands I used for building. Is it correct?:

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix
cd Whonix
git branch 15.0.0.3.3-stable
git checkout 15.0.0.3.3-stable
sudo -E ./whonix_build --build --redistribute --target iso --flavor whonix-host-xfce --freedom false

Already installed:

root@test-pc:~# apt install timezone-utc
Reading package lists... Done
Building dependency tree       
Reading state information... Done
timezone-utc is already the newest version (3:2.4-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Thanks, will try it later. I didn’t have this problem last time I built a Whonix-Host-ISO (in May I think). Was the package removed from the Whonix-Host build?

EDIT: the package is already installed.
Currently looking what else could cause the issue.

1 Like

OK, I have found the cause of

Error starting network 'Whonix-External': Unable to create bridge virbr1: Package not installed

One or some of the following protocols listed in /etc/modprobe.d/uncommon-network-protocols.conf are needed:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install llc /bin/true
install p8022 /bin/true

Reverting back to a previous version of this file (I think, June?) solves the problem:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

Now, next problem is

Error starting network 'Whonix-External': Cannot check dnsmasq binary /usr/sbin/dnsmasq: No such file or directory

Seems easier to fix :slight_smile:

Installing dns-masq solves the problem (as reported earlier in this thread by @HulaHoop

2 Likes

Bravo. It would have never come to my mind.

1 Like

onion_knight via Whonix Forum:

OK, I have found the cause of

Error starting network 'Whonix-External': Unable to create bridge virbr1: Package not installed

One or some of the following protocols listed in /etc/modprobe.d/uncommon-network-protocols.conf are needed:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install llc /bin/true
install p8022 /bin/true

Strange you have them all Whonix 15.0.0.3.3-stable. This means somehow
you’re using packages from git master. Nonetheless this needs to be
fixes as this change is coming.

Reverting back to a previous version of this file (I think, June?) solves the problem:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

Could you please find out which module it is? Once root access is
restored…

sudo lsmod

Or @madaidan @HulaHoop any idea which module that could be?

Now, next problem is

Error starting network 'Whonix-External': Cannot check dnsmasq binary /usr/sbin/dnsmasq: No such file or directory

I speculate installing dnsmasq-base package would solve this.

Is dnsmasq a dependency of Whonix KVM? Should dnsmasq-base be a
Depends: of whonix-libvirt package? @HulaHoop

Can you make (sanely) Whonix KVM work while sudo apt purge dnsmasq*?
@HulaHoop

onion_knight via Whonix Forum:

There is no such file:

ls var/lib/dpkg/info/anon-*
var/lib/dpkg/info/anon-icon-pack.list
var/lib/dpkg/info/anon-icon-pack.md5sums
var/lib/dpkg/info/anon-icon-pack.postinst
var/lib/dpkg/info/anon-icon-pack.postrm

No anon-base-files installed package then. “Good” because nothing
“randomly” pulls the package. “Bad” because then also nothing sets
password for user “user” to “changeme”. Expected that sudo does not work
then since no password is set.

Just now added anon-base-files to whonix-host-xfce-kvm-freedom for user
“user” creation. Will be included in next git tag.

To gain “emergency” root, next git tag will also include a passwordless
recovery mode.

( Restrict root access )
( https://www.whonix.org/wiki/Recovery#Recovery_Mode )

(But that might already work in your build too.)
(For example, set a root password from recovery mode, or whatever
needed, type “exit” and continue boot.)

Can you boot the raw image of Whonix host for further experimentation
rather than iso? That might help making persistent changes (such

This is all the commands I used for building. Is it correct?:

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix
cd Whonix
git branch 15.0.0.3.3-stable
git checkout 15.0.0.3.3-stable
sudo -E ./whonix_build --build --redistribute --target iso --flavor whonix-host-xfce --freedom false

Looks correct.

build-steps.d/1100_prepare-build-machine does

sudo $SUDO_OPTS git submodule sync --recursive
sudo $SUDO_OPTS git submodule update --init --recursive --jobs=200

the latter should set the git submodules to the correct git revision.

Does manually running git submodule update do something? It should not
but if it does it sets the correct revision (as it should reflect the
git tag).

OK as per the official guide there is a virtinst package needed for creating/cloning VMs via commandline. Please install and let me know if it works.

https://wiki.debian.org/KVM#Installation

Could you please make https://wiki.debian.org/KVM#Installation suitable
for use with apt --no-install-recommends? @HulaHoop

Thanks, will try it later. I didn’t have this problem last time I built a Whonix-Host-ISO (in May I think). Was the package removed from the Whonix-Host build?

I did not touch it. Manual build vs --no-install-recommends issue?

I can try, but I will need to blacklist each module one by one to see which one(s) causes the failure of bridge creation.

Installing dnsmasq solved the problem. I didn’t try with dnsmasq-base.

By default, there is no user user with the ISO build. Only a live user when booted in live-mode. I think it has sudo rights by default (I’ll check that again).

Important: problem with sudo/su arises in the installed machine (post Calamares), But I still can log in to graphical target with root.

Yes, that’s what I’m doing.

Once again, sudo/su problems are not with the ISO/raw Whonix Host, but on the installed image after Calamares install

.The package was already installed.

2 Likes

@Patrick do I still need t change the guide?

Yes. Would be very helpful. Starting with minimal packages (Debian minimal or so) and then setting all up with --no-install-recommends.

Comapred the blaklisted modules with the loaded ones on my host and llc is needed for bridging in libvirt.

It is fetched as part of the collection. Do you know the reverse depends command so I can check it quickly?

Can you make (sanely) Whonix KVM work while sudo apt purge dnsmasq* ?

I remember trying that some time ago and this would break NAT networks.

2 Likes

OK it seems dnsmasq-base needes to be added explicitly for it to be fetched.

EDIT:

Nope. Seems it is included in the Whonix base install by default.

Here’s the suggested packages. I hesitate to exclude them because I don’t know what features we need rely on these packages. They are relatively few compared to the mandatory collection anyhow.

Suggested packages:
  augeas-doc wodim cdrkit-doc augeas-tools libdv-bin oss-compat libosinfo-l10n
  sidplay-base gstreamer1.0-plugins-bad libvirt-daemon-driver-storage-gluster
  libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-zfs numad
  auditd nfs-common open-iscsi radvd systemtap zfsutils libvisual-0.4-plugins
  python-cryptography-doc python-cryptography-vectors python-enum34-doc
  python-openssl-doc python-openssl-dbg python-socks python-ntlm
  python-dbus-doc python3-dbus-dbg samba vde2 qemu-block-extra sgabios
  debootstrap ssh-askpass gnome-keyring gir1.2-secret-1 python3-guestfs
reverse-depends dnsmasq-base

Shows:

Reverse-Recommends
==================
* libvirt-daemon-system
* lxc
* network-manager

Reverse-Depends
===============
* concordance-common
* dnsmasq
* mahimahi
* neutron-dhcp-agent

Try to remove the package and see what happens. Still enough time to abort. Also good to experiment in live mode. Then perhaps try to uninstall another package from that list instead to track further and further. Or uninstall and reinstall one by one using --no-install-recommends and see at which point something would pull the package.

Suggested packages are never installed by default. Only when using --install-suggests, which I saw never anyone using. This is only about Recommends:.

That list of Suggests: contains packages definitively to be avoided. Packages like gnome-keyring can cause other issues. Just not great to have any packages without really needing those.

As for Recommends: these should not be relied upon. Installation vs non-installation depends on which packages the user already has installed. Therefore this can lead to inconsistent / non-compareable results.

For example dnsmasq-base might recommend dnsmasq for no reason which could then interfere with host DNS. In worst case a world reachable port could be opened.

Another example for what mess it can create:
Installing git-all will delete some Whonix packages

More on why we need --no-install-recommends:
https://www.whonix.org/wiki/Whonix_Debian_Packages#Technical_Stuff

In conclusion we really need start with Debian minimal, then install with and without --no-install-recommends. Understanding the difference in packages being installed and having a basic understanding which each of this different packages would make.

By Debian policy, packages must not depend on any Recommends: being installed for secure configuration. It won’t be that difficult after all. Just some features might break when some package is missing which can be easily fixed when knowing the difference of which packages are missing.

Whonix base install? You mean inside VMs? I wouldn’t know what pulls it . Not existing in Qubes-Whonix. Try to purge it:

sudo apt purge dnsmasq*

It might be a leftover in upgraded images. If it is removable inside Whonix VMs, it should be removed. Just cruft. That could even break alternative DNS resolvers.
(MX / SRV / DNSSEC / any DNS requests over Tor / DNSCrypt) (dnsmasq-base not so much but dnsmasq might create an unwanted listener port.)

It must have been pulled by dino because a clean snapshot doesn’t have it.

This is not the case on my host where it is installed. I confirmed with netstat. Also the documentation on libvirt makes this clear that it is not configured in a way that exposes the system but bound only to specific libvirt interfaces.

Nuking it breaks ‘default’ and any VM relying on NAT virtual network to access the outside world. Bridged adapters are not available for most Laptops out there. so we must rely on it.

If I were to purge it, only the dnsmasq -base package would be removed. Nothing else.

All right good to know.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]