Whonix-Host Operating System (OS) ISO

onion_knight · March 15, 2020, 11:33am

Build seems fine. I was tagged Whonix-Host-XFCE-15.0.1.0.0-3-ga2e3ae6bf4cf48b4a9277de39c9e538da1e186ff I don’t know why?
Juste a small fix for the installer desktop icon:

I will try to investigate this read-only bug with the VMs later.

Patrick · March 15, 2020, 11:51am

Nice!

I deliberately removed as many mentions of hardcoded Whonix strings. Maybe we could re-name the file instead? The idea is that some Kicksecure package needs to modify only a minimal amount of files and voila, we have a Kicksecure installer too.

Most likely you build from git master in that case. If you git fetch/merge Whonix/Whonix then you’re a few commits ahead of the latest git tag. I deliberately added years ago the resulting files to contain the git commit in such cases to distinguish between builds from “real git tags” vs “something not git tagged”. Try running git describe in Whonix main source code folder. Similar to usual VM build instruction son how to checkout a specific tag and make sure it’s really used (git describe).

onion_knight · March 15, 2020, 11:52am

Yes, better then to rename live-config-dist/usr/share/pixmaps/install-whonix-host.png at master · Kicksecure/live-config-dist · GitHub to “install-host.png”.

onion_knight · March 15, 2020, 12:52pm

Regarding read-only: see my comment here
https://phabricator.whonix.org/T914

onion_knight · March 15, 2020, 8:56pm

While testing Whonix-Host-XFCE-15.0.1.0.0-3.iso I realized that it doesn’t have lvm support. Meaning it cannot manage encrypted disks with " LVM on LUKS" method. I strongly suggest adding package lvm2.

Patrick · March 16, 2020, 7:07am

https://github.com/Whonix/Whonix/blob/master/build-steps.d/1800_copy_vms_into_raw#L35

old:

   $CHROOT chmod -v -R 444 "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
   $CHROOT chmod -v -R 444 "/var/lib/libvirt/images/Whonix-Workstation.qcow2"

chmod 444 meaning read allowed for owner, group, public.
(As per https://chmod-calculator.com/.)

Would chmod 440 (public cannot read the images) be better? In other words, why should all users on the system be able to read these images? Or is that the default?

I also find octal hard to work with. The following is much easier to understand:

chmod u (user/owner)
chmod g (group)
chmod o (others)

Therefore changed from octal to symbolic:

   $CHROOT chmod --verbose --recursive ugo-r "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
   $CHROOT chmod --verbose --recursive ugo-r "/var/lib/libvirt/images/Whonix-Workstation.qcow2"

This is related to fixing ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on.

Patrick · March 16, 2020, 7:09am

Done.

Patrick · March 16, 2020, 7:12am

Fixed.

   $CHROOT chmod --verbose --recursive o-r   "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
   $CHROOT chmod --verbose --recursive o-r   "/var/lib/libvirt/images/Whonix-Workstation.qcow2"
   $CHROOT chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
   $CHROOT chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Workstation.qcow2"

Patrick · March 16, 2020, 12:26pm

onion_knight via Whonix Forum:

Patrick:

I deliberately removed as many mentions of hardcoded Whonix strings. Maybe we could re-name the file instead? The idea is that some Kicksecure package needs to modify only a minimal amount of files and voila, we have a Kicksecure installer too.

Yes, better then to rename live-config-dist/usr/share/pixmaps/install-whonix-host.png at master · Kicksecure/live-config-dist · GitHub to “install-host.png”.

This was done.

onion_knight · March 16, 2020, 3:54pm

I don’t know. 440 should also work.

Great!

Great! Will try a new build now.

onion_knight · March 16, 2020, 5:01pm

Whonix-Host ISO 15.0.1.0.1-11 build breaks for odd reason. Safe to ignore and continue?

 #####################################################################
## INFO: BEGIN: usability-misc postinst configure' '
#####################################################################
'
+ case "$1" in
+ true 'INFO: Configuring usability-misc...'
+ adduser --no-create-home --home /nonexistent --quiet --system --group --shell /bin/false tunnel
+ true 'INFO: End configuring usability-misc.'
+ bisq_desktop_directories_workaround
+ '[' -f /var/lib/usability-misc/do_once/bisq_desktop_directories_workaround_version_1 ']'
+ mkdir -p /usr/share/desktop-directories
+ touch /var/lib/usability-misc/do_once/bisq_desktop_directories_workaround_version_1
touch: cannot touch '/var/lib/usability-misc/do_once/bisq_desktop_directories_workaround_version_1': No such file or directory
++ errorhandlergeneral
++ last_failed_exit_code=1
++ last_failed_bash_command='touch "/var/lib/usability-misc/do_once/${FUNCNAME}_version_1"'
++ output_cmd_set
++ '[' -o xtrace ']'
++ output_cmd=true
++ true 'INFO: Middle of function errorhandlergeneral of /var/lib/dpkg/info/usability-misc.postinst.'

Patrick · March 16, 2020, 6:28pm

Safe to ignore and should be fixed in 15.0.1.0.2-developers-only.

onion_knight · March 16, 2020, 8:27pm

Ok. Build 15.0.1.01-11 successful (ignoring this error).
Everything seems fine.

To sum up, what needs to be done in my opinion:

Test on real hardware (both EFI/BIOS)…
Get rid of the default XFCE4 desktop image (replace with simple color?), add some Desktop icons (cosmetic changes, not urgent)

Anything else?

Patrick · March 17, 2020, 11:19am

Whonix-Host · Workboard and live-mode · Workboard could use some triage. Tasks required for first public release could be tagged Whonix_15 vs tasks for future work could be left as is.

Which tasks would you consider release blockers?

I guess for example at minimum we should have a basic host firewall. → ⚓ T942 Whonix Host Firewall for Whonix Host

Patrick · March 17, 2020, 12:05pm

https://phabricator.whonix.org/T914#19541

Then what about hdd live mode boot? Does this issue apply there too?
This implementation path might not work for installed disk live mode boot?
I don’t know. Not implemented yet. Currently installed (persistent) Whonix-Host does not have live-boot option.

Should be easy.

sudo apt install grub-live

If that works, could be added to anon-meta-packages.

onion_knight · March 17, 2020, 12:06pm

Personally I don’t see any blocker in the two lists.

This may however be a problem (not a blocker to me anyway) if swap is really a concern to you, as Calamares installer creates a swap partition by default:
https://phabricator.whonix.org/T904

Solutions:

Don’t care (the installation should be on a encrypted disk anyway, swap is encrypted too)
See how we can change Calamares settings so as to not provide a swap partition by default during partition

Regarding host firewall, I have no experience in that. So I am afraid I won’t be able to help much with that.

This being said, a lot of bugs/desired features will probably appear when we can test Whonix-Host (both live and persistent installation) more thoroughly.

Maybe already consider a first “alpha” build based on what we have (still pending last desktop configuration changes) that multiple people could test and report back?

onion_knight · March 17, 2020, 12:13pm

EDIT:
I forgot this one
https://phabricator.whonix.org/T914
Maybe not a blocker, but should definitely be taken care of, as it is inconvenient (as currently needs editing on first boot after Whonix-Host persistent installation in order to make it work).

Patrick · March 17, 2020, 12:23pm

Yes, ideally there would be a swap file but it’s not super critical as its encrypted swap partition.

Yes, that’s it for now since calamares does not support swap file support yet.

Not sure that is a good idea. For users with 4 GB RAM and more that might be OK but with less I don’t know if we should care and/or if swap would help.

Patrick · March 18, 2020, 2:36pm

4 posts were split to a new topic: Whonix-Host Firewall

onion_knight · March 18, 2020, 10:17am

Currently building 15.0.1.0.2-developers-only from scratch, to see how it goes.