Sir @onion_knight we need you, Whonix Host needs you, Freedom needs you.
@HulaHoop Thanks for your kind message!
Sorry if you have the feeling that I let you down. I was indeed less involved with the project lately. I want back and I also want this thing to succeed, but I guess that I won’t be able to do it alone due to my limited abilities as a developper.
All right, let me at least catch up with the new topics and try to build anew from scratch a Whonix Host Operating machine, and see where we stand with this project, what works, what doesn’t, and what still needs to be done.
No worries. Your previous contributions were instrumental in moving this project forward! I don’t think we’d have the iso generation code without your original research and implementation and much more. If you can keep up with as you did previously, that would already be a big help!
sudo ~/Whonix/whonix_build --build --target iso --flavor whonix-host-xfce --freedom false) fails at
Depends: security-misc but it is not going to be installed
And then installation of
security-misc fails, because:
+ export IFS + '[' '!' '' = yes ']' + echo '/var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group '\''sudo'\''. Installation aborted.' /var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'sudo'. Installation aborted. + echo '/var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run:' /var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run: + echo ''
I chose to ignore the error and continue the build for the moment.
Because of this error
dpkg was interrupted and I had to chroot inside the raw file and
apt install -f to finish the dpkg process by hand.
Furthermore, the following packages were not properly installed and automatically removed:
kicksecure-cli kicksecure-dependencies-cli kicksecure-xfce whonix-host-xfce-kvm-freedom whonix-host-xfce-kvm-nonfreedom
Anyway the resulting disk image is completely broken.
I’ll try it again from scratch once this error has been fixed… Unless someone has a proven method of building Whonix-Host.
It’s related to the old discussion on how user
user should be created.
( Whonix Desktop Installer with Calamares - field report - #81 by Patrick )
For Non-Qubes-Whonix VM builds user
user is created by anon-base-files postinst script.
For Whonix Host builds this code does not run. This was a result of the discussion how user
user (and user groups) should be created.
Nowadays security-misc disabled root login for better security (among a ton of other security hardening).
Since security-misc is also used outside of Whonix, there is a check to not install if there are no users in group sudo. This check is implemented in security-misc preinst.
Meanwhile perhaps remove security-misc from anon-meta-packages debian/control?
In that case (easiest), add to build command
--allow-untagged true --allow-uncommitted true
That should help avoiding issues some sudo/root access issues security-misc can be figured out later.
I think I suggested to avoid live-config so we don’t involve any of its user
user creation code.
I’ll try to fix the build.
Could you please check package
live-config? Maybe it’s mostly about the scripts in
/lib/live/config/. What stuff we need?
Perhaps we can get rid of live-config or re-implement the few bits that we do need.
I try to use “standard” anon-base-files for user
user and groups creation and dropping live-config. Seems the less complex solution to this issue.
As far as I remember, we need at least a script for user creation during boot, and probably some other small stuff that I don’t remember of yet.
CUSTOMIZATION live-config can be easily customized for downstream projects or local usage. Adding new config components Downstream projects can put their components into /lib/live/config and do not need to do anything else, the components will be called automatically during boot. The components are best put into an own debian package. A sample package containing an example component can be found in /usr/share/doc/live-config/examples. Removing existing config components It is not really possible to remove components itself in a sane way yet without requiring either to ship a locally modified live-config package or using dpkg-divert. However, the same can be achieved by disabling the respective components through the live-config.nocomponents mechanism, see above. To avoid to always need specifying disabled components through the boot parameter, a con‐ figuration file should be used, see above. The configuration files for the live system itself are best put into an own debian package. A sample package containing an example configuration can be found in /usr/share/doc/live-config/examples. COMPONENTS live-config currently features the following components in /lib/live/config. debconf allows one to apply arbitrary preseed files placed on the live media or an http/ftp server. hostname configures /etc/hostname and /etc/hosts. user-setup adds a live user account. sudo grants sudo privileges to the live user. locales configures locales. locales-all configures locales-all. tzdata configures /etc/timezone. gdm3 configures autologin in gdm3. kdm configures autologin in kdm. lightdm configures autologin in lightdm. lxdm configures autologin in lxdm. nodm configures autologin in nodm. slim configures autologin in slim. xinit configures autologin with xinit. keyboard-configuration configures the keyboard. systemd configures systemd autologin. sysvinit configures sysvinit. sysv-rc configures sysv-rc by disabling listed services. login disables lastlog. apport disables apport. gnome-panel-data disables lock button for the screen. gnome-power-manager disables hibernation. gnome-screensaver disables the screensaver locking the screen. kaboom disables KDE migration wizard (squeeze and newer). kde-services disables some unwanted KDE services (squeeze and newer). policykit grant user privilegies through policykit. ssl-cert regenerating ssl snake-oil certificates. anacron disables anacron. util-linux disables util-linux' hwclock. login disables lastlog. xserver-xorg configures xserver-xorg. broadcom-sta configures broadcom-sta WLAN drivers. openssh-server recreates openssh-server host keys. xfce4-panel configures xfce4-panel to default settings. xscreensaver disables the screensaver locking the screen. hooks allows one to run arbitrary commands from a file placed on the live media or an http/ftp server.
I guess better if re-implemented. A quick search looks like Tails also stopped using live-config.
/usr/lib/whonix-libvirt/install is currently breaking the build on a host system that has VirtualBox installed. During
virsh -c qemu:///system net-start "default" it freezes everything.
Maybe it would be better to not do this during build inside chroot? Would be ok too if /usr/lib/whonix-libvirt/install was executed during first boot using a systemd unit file?
Great, would you mind sharing the links? Couldn’t find anything.
Meanwhile I did that and managed to complete the build without errors. Some did get wrong though, as the ISO file kernel panics on boot…
(Search only on domain
tails.boum.org for exact string
Thanks, will have a look.
My newly built Host VM (.raw file) also kernel panics when booting into live mode:
line 244: can't open '/scripts/live' : No such file or directory
Or we don’t have initramfs or dracut installed?
no, but package
live-boot was not installed during the build… After installing it, it works.
Quite possible. I commented out
pkg-add-to-install-list live-config. (In a later tag that I didn’t mention yet.)
live-boot is needed? I guess, yes. Then I’ll add to build-steps.d/1700_install-packages now that
live-config is gone?
(live-config probably pulled live-boot as a dependency.)
live-boot is needed. Oddly enough,
live-config was installed, but not
Did you comment out
live-boot for kicksecure only or for all builds?
This was the only related thing I did:
There was no live-boot explicitly written anywhere.
(Well, pacakge grub-live depends on live-boot but I am not sure that gets installed for Whonix Host ISO builds (yet).)