Hey. Please help solve the problem. Debian Kicksecure Host Installed grub-live. When running grub-live on the host, I cannot start the KVM virtual machine.
Startup error: internal error: child reported
(status = 125): unable to set user and group to
‘64055: 64055’ on '/ var / lib / libvirt / images / Whonix-
Gateway.qcow2 ': No device left
VirtualBox has the same problem. Swears at "No device left
free space "When running a host in normal mode (non-live-mode) everything works fine. Both in VirtualBox and in KVM
You probably don’t have enough physical RAM on the host.
How much do you need? I don’t know. I only tested with 32 GB RAM on the
host which worked for me.
Reports welcome how much RAM one has and if it works for you.
mem: total - 15Gi used 404Mi free 14Gi shared 70Mi buff/cache 383Mi available 14Gi
Maybe I turned on / off something extra on the host? (I changed a lot of settings, installed other recommended software (on the wiki)
Read-only mode KVM - worked. (non grub-live on host)
https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt has a chapter Metadata only copy up:
When metadata only copy up feature is enabled, overlayfs will only copy up metadata (as opposed to whole file), when a metadata specific operation like chown/chmod is performed. Full file will be copied up later when file is opened for WRITE operation.
In other words, this is delayed data copy up operation and data is copied up when there is a need to actually modify data.
There are multiple ways to enable/disable this feature.
That feature would be useful for Whonix-Host. If anyone already used that, please help in ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on.
@Patrick, your suggestion seems to be working
See my last comment here
Need to review each of these kernel boot parameters if these are still required.
Activates live boot (package by Debian). Probably OK.
/lib/live/boot/9990-main.sh for variable
PLAIN_ROOT. Takes a different code path. Not sure.
By default, live-boot uses overlay. With this parameter, you can switch to aufs.
Seems default anyhow. Could therefore be removed but never mind.
Seems required to not write
Do not prompt to eject the live medium.
This option causes live-boot to reboot without attempting to eject the media and without asking the user to remove the boot media.
Do we want this? Why?
When shutting down Whonix-Host ISO it seems to not poweroff but say “please remove ISO” or something which is bad (in case users want to quickly shutdown to clear RAM).
disables the “persistence” feature, useful if the bootloader (like syslinux) has been installed with persistence enabled.
Not sure yet. Probably ok for now. Looks related to selective persistence.
plainrootNo sure neither. I found almost no valuable info. Maybe supports disk encryption (?)
Whonix live mode / amnesia / amnesic / non-persistent / anti-forensics - #45 by Algernon
union=overlayYes to keep it, probably redundant, but you never know when the default changes
ip=frommediaYes, " Seems required to not write
noejectYes, let’s keep it, maybe better for quick shutdown.
nopersistence, Seems we could remove this one. Maybe persistence (like Tails) could be a nice feature in the future for Whonix-Host
Btw I have just noticed that default Whonix-Host ISO (Isolinux, didn’t check on GRUB yet) does not have these kernel parameters. Is this on purpose? Or should we harmonize it and have the same exact parameters for VMs and Whonix-Host live-mode?
Edit by Patrick:
added bullet points for easier readability
Not on purpose. I guess that happened because these boot options are only set when booting for example Whonix-Workstation VM into Live Mode. Therefore overlooked.
Yes, that would be good.
Kernel command line persistent mode changes from ⚓ T950 set kernel.printk sysctl to prevent kernel info leaks were not added yet. But not sure we should add them yet. It’s not time to lower verbosity for Whonix-Host boot yet.
Perhaps rather the opposite. Add more verbosity?
Btw installing package
debug-misc on Whonix-Host ISO wouldn’t increase debugging because current implementation ignores that raw image’s
/boot/grub/grub.cfg (which is created from
/etc/default/grub.d is ignored) (for now hardcoded).
Could use a script to sanity check if kernel boot parameters are sync (no differences for Whonix-Host ISO) but not easy.
Why are kernel boot paramaters (such as
spectre_v2=on spec_store_bypass_disable=on tsx=off …) defined in both files:
is one redundant?
Could you please create tickets (separate forum topics) for anything that isn’t easy to resolve? [Don’t worry the forum tags too much. I can do these later.]
One is for GRUB (when booting in EFI), the other is for Isolinux (when booting in BIOS).
Any idea how to debug this?
How now set Read-only Mode for VM?
This manual no longer work /wiki/VM_Live_Mode/Read_Only_Mode_Hard_Drive
It is also impossible to start VM with live mode on host. There is an error VERR_DISK_FULL
Not whonix issue:
“I thought it was the VirtualBox’s vdi hard disk drive that was full, but it was much easier. Just a “df -h” and I realized that my host disk was full!”
cc @Patrick maybe we can add this to:
Anyone can use the live mod with the recent changes to AHCI? I can’t.
With VB 6.1.18 everything worked great. But wit VB 6.1.2 and with AHCI I can’t start a whonix VB in a live mode with live mode on host.
My disk has enough free space. When I used VB 6.1.18 with LisLogic SAS live mode on the host worked well and I was able to start whonix VB with a live mode on the host. But now when live mode is on on the host I got this error - VERR_DISK_FULL
Also now is impossible to switch AHCI VB to read only.