Whonix Desktop Installer with Calamares - field report

OK as per the official guide there is a virtinst package needed for creating/cloning VMs via commandline. Please install and let me know if it works.

https://wiki.debian.org/KVM#Installation

1 Like

There is no such file:

ls var/lib/dpkg/info/anon-*
var/lib/dpkg/info/anon-icon-pack.list
var/lib/dpkg/info/anon-icon-pack.md5sums
var/lib/dpkg/info/anon-icon-pack.postinst
var/lib/dpkg/info/anon-icon-pack.postrm

This is all the commands I used for building. Is it correct?:

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix
cd Whonix
git branch 15.0.0.3.3-stable
git checkout 15.0.0.3.3-stable
sudo -E ./whonix_build --build --redistribute --target iso --flavor whonix-host-xfce --freedom false

Already installed:

root@test-pc:~# apt install timezone-utc
Reading package lists... Done
Building dependency tree       
Reading state information... Done
timezone-utc is already the newest version (3:2.4-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Thanks, will try it later. I didn’t have this problem last time I built a Whonix-Host-ISO (in May I think). Was the package removed from the Whonix-Host build?

EDIT: the package is already installed.
Currently looking what else could cause the issue.

1 Like

OK, I have found the cause of

Error starting network 'Whonix-External': Unable to create bridge virbr1: Package not installed

One or some of the following protocols listed in /etc/modprobe.d/uncommon-network-protocols.conf are needed:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install llc /bin/true
install p8022 /bin/true

Reverting back to a previous version of this file (I think, June?) solves the problem:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

Now, next problem is

Error starting network 'Whonix-External': Cannot check dnsmasq binary /usr/sbin/dnsmasq: No such file or directory

Seems easier to fix :slight_smile:

Installing dns-masq solves the problem (as reported earlier in this thread by @HulaHoop

2 Likes

Bravo. It would have never come to my mind.

1 Like

onion_knight via Whonix Forum:

OK, I have found the cause of

Error starting network 'Whonix-External': Unable to create bridge virbr1: Package not installed

One or some of the following protocols listed in /etc/modprobe.d/uncommon-network-protocols.conf are needed:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install llc /bin/true
install p8022 /bin/true

Strange you have them all Whonix 15.0.0.3.3-stable. This means somehow
you’re using packages from git master. Nonetheless this needs to be
fixes as this change is coming.

Reverting back to a previous version of this file (I think, June?) solves the problem:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

Could you please find out which module it is? Once root access is
restored…

sudo lsmod

Or @madaidan @HulaHoop any idea which module that could be?

Now, next problem is

Error starting network 'Whonix-External': Cannot check dnsmasq binary /usr/sbin/dnsmasq: No such file or directory

I speculate installing dnsmasq-base package would solve this.

Is dnsmasq a dependency of Whonix KVM? Should dnsmasq-base be a
Depends: of whonix-libvirt package? @HulaHoop

Can you make (sanely) Whonix KVM work while sudo apt purge dnsmasq*?
@HulaHoop

onion_knight via Whonix Forum:

There is no such file:

ls var/lib/dpkg/info/anon-*
var/lib/dpkg/info/anon-icon-pack.list
var/lib/dpkg/info/anon-icon-pack.md5sums
var/lib/dpkg/info/anon-icon-pack.postinst
var/lib/dpkg/info/anon-icon-pack.postrm

No anon-base-files installed package then. “Good” because nothing
“randomly” pulls the package. “Bad” because then also nothing sets
password for user “user” to “changeme”. Expected that sudo does not work
then since no password is set.

Just now added anon-base-files to whonix-host-xfce-kvm-freedom for user
“user” creation. Will be included in next git tag.

To gain “emergency” root, next git tag will also include a passwordless
recovery mode.

( Restrict root access - #46 by Patrick )
( Recovery - Kicksecure )

(But that might already work in your build too.)
(For example, set a root password from recovery mode, or whatever
needed, type “exit” and continue boot.)

Can you boot the raw image of Whonix host for further experimentation
rather than iso? That might help making persistent changes (such

This is all the commands I used for building. Is it correct?:

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix
cd Whonix
git branch 15.0.0.3.3-stable
git checkout 15.0.0.3.3-stable
sudo -E ./whonix_build --build --redistribute --target iso --flavor whonix-host-xfce --freedom false

Looks correct.

build-steps.d/1100_prepare-build-machine does

sudo $SUDO_OPTS git submodule sync --recursive
sudo $SUDO_OPTS git submodule update --init --recursive --jobs=200

the latter should set the git submodules to the correct git revision.

Does manually running git submodule update do something? It should not
but if it does it sets the correct revision (as it should reflect the
git tag).

OK as per the official guide there is a virtinst package needed for creating/cloning VMs via commandline. Please install and let me know if it works.

KVM - Debian Wiki

Could you please make KVM - Debian Wiki suitable
for use with apt --no-install-recommends? @HulaHoop

Thanks, will try it later. I didn’t have this problem last time I built a Whonix-Host-ISO (in May I think). Was the package removed from the Whonix-Host build?

I did not touch it. Manual build vs --no-install-recommends issue?

I can try, but I will need to blacklist each module one by one to see which one(s) causes the failure of bridge creation.

Installing dnsmasq solved the problem. I didn’t try with dnsmasq-base.

By default, there is no user user with the ISO build. Only a live user when booted in live-mode. I think it has sudo rights by default (I’ll check that again).

Important: problem with sudo/su arises in the installed machine (post Calamares), But I still can log in to graphical target with root.

Yes, that’s what I’m doing.

Once again, sudo/su problems are not with the ISO/raw Whonix Host, but on the installed image after Calamares install

.The package was already installed.

2 Likes

@Patrick do I still need t change the guide?

Yes. Would be very helpful. Starting with minimal packages (Debian minimal or so) and then setting all up with --no-install-recommends.

Comapred the blaklisted modules with the loaded ones on my host and llc is needed for bridging in libvirt.

It is fetched as part of the collection. Do you know the reverse depends command so I can check it quickly?

Can you make (sanely) Whonix KVM work while sudo apt purge dnsmasq* ?

I remember trying that some time ago and this would break NAT networks.

2 Likes

OK it seems dnsmasq-base needes to be added explicitly for it to be fetched.

EDIT:

Nope. Seems it is included in the Whonix base install by default.

Here’s the suggested packages. I hesitate to exclude them because I don’t know what features we need rely on these packages. They are relatively few compared to the mandatory collection anyhow.

Suggested packages:
  augeas-doc wodim cdrkit-doc augeas-tools libdv-bin oss-compat libosinfo-l10n
  sidplay-base gstreamer1.0-plugins-bad libvirt-daemon-driver-storage-gluster
  libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-zfs numad
  auditd nfs-common open-iscsi radvd systemtap zfsutils libvisual-0.4-plugins
  python-cryptography-doc python-cryptography-vectors python-enum34-doc
  python-openssl-doc python-openssl-dbg python-socks python-ntlm
  python-dbus-doc python3-dbus-dbg samba vde2 qemu-block-extra sgabios
  debootstrap ssh-askpass gnome-keyring gir1.2-secret-1 python3-guestfs
reverse-depends dnsmasq-base

Shows:

Reverse-Recommends
==================
* libvirt-daemon-system
* lxc
* network-manager

Reverse-Depends
===============
* concordance-common
* dnsmasq
* mahimahi
* neutron-dhcp-agent

Try to remove the package and see what happens. Still enough time to abort. Also good to experiment in live mode. Then perhaps try to uninstall another package from that list instead to track further and further. Or uninstall and reinstall one by one using --no-install-recommends and see at which point something would pull the package.

Suggested packages are never installed by default. Only when using --install-suggests, which I saw never anyone using. This is only about Recommends:.

That list of Suggests: contains packages definitively to be avoided. Packages like gnome-keyring can cause other issues. Just not great to have any packages without really needing those.

As for Recommends: these should not be relied upon. Installation vs non-installation depends on which packages the user already has installed. Therefore this can lead to inconsistent / non-compareable results.

For example dnsmasq-base might recommend dnsmasq for no reason which could then interfere with host DNS. In worst case a world reachable port could be opened.

Another example for what mess it can create:
Installing git-all will delete some Whonix packages

More on why we need --no-install-recommends:
Debian Packages - Whonix

In conclusion we really need start with Debian minimal, then install with and without --no-install-recommends. Understanding the difference in packages being installed and having a basic understanding which each of this different packages would make.

By Debian policy, packages must not depend on any Recommends: being installed for secure configuration. It won’t be that difficult after all. Just some features might break when some package is missing which can be easily fixed when knowing the difference of which packages are missing.

Whonix base install? You mean inside VMs? I wouldn’t know what pulls it . Not existing in Qubes-Whonix. Try to purge it:

sudo apt purge dnsmasq*

It might be a leftover in upgraded images. If it is removable inside Whonix VMs, it should be removed. Just cruft. That could even break alternative DNS resolvers.
(MX / SRV / DNSSEC / any DNS requests over Tor / DNSCrypt) (dnsmasq-base not so much but dnsmasq might create an unwanted listener port.)

It must have been pulled by dino because a clean snapshot doesn’t have it.

This is not the case on my host where it is installed. I confirmed with netstat. Also the documentation on libvirt makes this clear that it is not configured in a way that exposes the system but bound only to specific libvirt interfaces.

Nuking it breaks ‘default’ and any VM relying on NAT virtual network to access the outside world. Bridged adapters are not available for most Laptops out there. so we must rely on it.

If I were to purge it, only the dnsmasq -base package would be removed. Nothing else.

All right good to know.

1 Like
1 Like

git tag 15.0.0.3.6-developers-only builds, boot fine, looks good at first look.
Preciously there were some issues with root/sudo in an intermediate development version in the VM version of Whonix. These are now fixed.

Some changes to how root/sudo works beginning with 15.0.0.3.6-developers-only: The default root account is locked. This is a purposeful security feature. See:

1 Like

Sorry for low activity lately, much to do IRL.
Will try a new build and hopefully will have more time to pursue this project.

2 Likes

I noticed I did a git checkout 15.0.0.3.6-developers-only but it’s building 15.0.0.3.9-27 regardless… Any idea why?

1 Like

Looking into that now. Will try to reproduce.

These are the commands I am using. (Taken from Build and Update Whonix from Source Code)

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix
cd Whonix
git verify-tag 15.0.0.3.6-developers-only
git checkout 15.0.0.3.6-developers-only
git describe

(git describe just now added as a test.)

git describe should output

15.0.0.3.6-developers-only

sudo ~/Whonix/whonix_build --flavor whonix-gateway-xfce --target virtualbox --build

Build output should contain pretty early (copy to text editor and search perhaps):

INFO: Variable anon_dist_build_version was unset. Auto detected. Set to: 15.0.0.3.6

Later on the build output should include:

  • true '/home/user/Whonix/help-steps/git_sanity_test INFO: git_tag_nearest: 15.0.0.3.6-developers-only ’
  • true '/home/user/Whonix/help-steps/git_sanity_test INFO: git_tag_current: 15.0.0.3.6-developers-only

Building form a non-tagged release is actually deliberately protected against and made a tiny bit more difficult. Requires adding:

--allow-untagged true --allow-uncommitted true

(But this is mentioned in the error message when that happens.)

Build would actually fail, but also advice why.

  • true ‘---------------------------------------------------------------------’

  • true '/home/user/Whonix/help-steps/git_sanity_test ERROR: Git reports uncommitted changes! ’

  • true '/home/user/Whonix/help-steps/git_sanity_test INFO: (And you are not using --allow-uncommitted true, which you also should not do for security reasons, unless you are a developer or advanced user and know what you are doing. Such as in case you added custom code.) ’

  • git_sanity_test_hint

  • true '/home/user/Whonix/help-steps/git_sanity_test INFO: (As a developer or advanced user you might want to use:)
    –allow-untagged true --allow-uncommitted true

  • true '/home/user/Whonix/help-steps/git_sanity_test INFO: Running “git status” for your convenience. ’

  • git status
    HEAD detached at 15.0.0.3.6-developers-only
    Untracked files:
    (use “git add …” to include in what will be committed)

    packages/binaries-freedom/
    packages/kicksecure-base-files/

nothing added to commit but untracked files present (use “git add” to track)

  • true '/home/user/Whonix/help-steps/git_sanity_test INFO: Running git “clean -d --force --force --dry-run” for your convenience. ’
  • git clean -d --force --force --dry-run
    Would remove packages/binaries-freedom/
    Would remove packages/kicksecure-base-files/
  • true '/home/user/Whonix/help-steps/git_sanity_test You most likely like to run:
    /home/user/Whonix/help-steps/cleanup-files
    or if you know what you are doing:
    git clean -d --force --force
    git reset --hard
  • true ‘---------------------------------------------------------------------’
  • error ‘Uncommitted changes! See above!’
  • echo ‘############################################################’
    ############################################################
  • echo ‘ERROR: Uncommitted changes! See above!’
    ERROR: Uncommitted changes! See above!
  • echo ‘############################################################’
    ############################################################
  • error_ ‘See above! (There should be a bold, red message surrounded by blue hashtags (#).)’
    pre: line 30: error_: command not found

git clean -d --force --force solves that.

Btw just finished testing Whonix git tag 15.0.0.3.9 which is uploaded already with a call for testers coming soon.

(Also has such an extraneous folder.)

If that does not work for you, please paste the commands you’re using here. Or post the output of a whole build until around the git_tag_current line.

1 Like