[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Whonixcheck keeps complaining about timezone after Debian update

I am an experienced Linux developer with some familiarity with Tor. I have tried an older version of Whonix in the past, but I am new to Qubes OS. Last week I installed Qubes OS 3.0 with Whonix templates. Things worked well until I installed security updates in all template VMs.

First whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck. Bug report: This whonixcheck advice was not Qubes-aware, so it wrongly told me to remove these packages from the AppVM dom0 -> Start Menu -> ‘whonix’ -> Konsole instead of the TemplateVMs whonix-ws and whonix-gw.

In order to avoid pulling in undesired packages, it might be wise to modify the [tt]apt[/tt] configuration as recommended by Zwiebelfreunde for Tor Exit servers <https://www.torservers.net/wiki/setup/server>:

# disable debian default that pulls in recommended packages:
cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends

At the same time, whonixcheck complained about an unexpected timezone setting, and I am unable to correct it. Even after changing the contents of /etc/timezone from UTC to Etc/UTC in both template VMs, the old value is back after a reboot, and whonixcheck complains again.

Then I noticed that TorBrowser was gone. Whonix offered to re-install it using its TorBrowser-Updater. That was denied by AppArmor, so I disabled it. Now I can use TorBrowser, but whonixcheck keeps complaining about the timezone even after reboots.

It is possible that AppArmor plays a role in this mess. I had enabled it two days ago, and it generated DENIED entries in the kernel.log of whonix-gw for [tt]/usr/sbin/cpfpd[/tt] not being allowed to read from “/rw/usrlocal/lib/python2.7/dist-packages/”. I would paste the exact warning here, but copy & paste does not work (yes, I tried the three-step dance ctrl-shift-c ctrl-shift-v ctrl-v but the destination clipboard still contained an old value).

These are my package sources:

user@host~$ egrep -rv '^#|^$' /etc/apt/sources.list.d/
/etc/apt/sources.list.d/debian.list:deb http://security.debian.org jessie/updates main contrib non-free
/etc/apt/sources.list.d/debian.list:deb http://ftp.us.debian.org/debian jessie main contrib non-free
/etc/apt/sources.list.d/whonix.list:deb http://mirror.whonix.de/whonixdevelopermetafiles/internal/ testers main
/etc/apt/sources.list.d/torproject.list:deb http://deb.torproject.org/torproject.org jessie main
/etc/apt/sources.list.d/qubes-r3.list:deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm jessie main

PS: Tor-Browser was not really gone, but the menu (I am using XFCE) was looking in the wrong place: [tt]/home/user/.tb/[/tt]

After allowing Tor-Browser-Updater to do its work, I have three Tor-Browsers lying around: [tt]/usr/bin/torbrowser[/tt], [tt]/home/user/tor-browser_en-US/[/tt] and [tt]/home/user/.tb/tor-browser_en-US/[/tt]. Not ideal.

PS: Tor-Browser was not really gone, but the menu (I am using XFCE) was looking in the wrong place: [tt]/home/user/.tb/[/tt]
Not the wrong place. It's the new place. (https://phabricator.whonix.org/T338)
After allowing Tor-Browser-Updater to do its work, I have three Tor-Browsers lying around: [tt]/usr/bin/torbrowser[/tt], [tt]/home/user/tor-browser_en-US/[/tt] and [tt]/home/user/.tb/tor-browser_en-US/[/tt]. Not ideal.
/usr/bin/torbrowser is a wrapper to start /home/user/.tb/... You can delete /home/user/tor-browser_en-US if applicable or move to /home/user/.tb/tor-browser_en-US.

[quote=“digitalcourage, post:1, topic:1572”]I am an experienced Linux developer with some familiarity with Tor. I have tried an older version of Whonix in the past, but I am new to Qubes OS. Last week I installed Qubes OS 3.0 with Whonix templates. Things worked well until I installed security updates in all template VMs.

First whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck. Bug report: This whonixcheck advice was not Qubes-aware, so it wrongly told me to remove these packages from the AppVM dom0 -> Start Menu -> ‘whonix’ -> Konsole instead of the TemplateVMs whonix-ws and whonix-gw.

In order to avoid pulling in undesired packages, it might be wise to modify the [tt]apt[/tt] configuration as recommended by Zwiebelfreunde for Tor Exit servers <https://www.torservers.net/wiki/setup/server>:

# disable debian default that pulls in recommended packages:
cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends

At the same time, whonixcheck complained about an unexpected timezone setting, and I am unable to correct it. Even after changing the contents of /etc/timezone from UTC to Etc/UTC in both template VMs, the old value is back after a reboot, and whonixcheck complains again.

Then I noticed that TorBrowser was gone. Whonix offered to re-install it using its TorBrowser-Updater. That was denied by AppArmor, so I disabled it. Now I can use TorBrowser, but whonixcheck keeps complaining about the timezone even after reboots.

It is possible that AppArmor plays a role in this mess. I had enabled it two days ago, and it generated DENIED entries in the kernel.log of whonix-gw for [tt]/usr/sbin/cpfpd[/tt] not being allowed to read from “/rw/usrlocal/lib/python2.7/dist-packages/”. I would paste the exact warning here, but copy & paste does not work (yes, I tried the three-step dance ctrl-shift-c ctrl-shift-v ctrl-v but the destination clipboard still contained an old value).

These are my package sources:

user@host~$ egrep -rv '^#|^$' /etc/apt/sources.list.d/ /etc/apt/sources.list.d/debian.list:deb http://security.debian.org jessie/updates main contrib non-free /etc/apt/sources.list.d/debian.list:deb http://ftp.us.debian.org/debian jessie main contrib non-free /etc/apt/sources.list.d/whonix.list:deb http://mirror.whonix.de/whonixdevelopermetafiles/internal/ testers main /etc/apt/sources.list.d/torproject.list:deb http://deb.torproject.org/torproject.org jessie main /etc/apt/sources.list.d/qubes-r3.list:deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm jessie main [/quote]
Thanks!

A lot issues come from the testers repository. I just now updated that repository. Good you’re using http://mirror.whonix.de/whonixdevelopermetafiles/internal/ which is updated a bit faster. (More explanation: https://www.whonix.org/wiki/Whonix-APT-Repository#Repository_Location_URI)

Please update your TemplateVMs, restart the VM, and see what still applies. In case it hasn’t been addressed yet, in that case just copy and paste what you wrote before.

[quote=“digitalcourage, post:1, topic:1572”]In order to avoid pulling in undesired packages, it might be wise to modify the [tt]apt[/tt] configuration as recommended by Zwiebelfreunde for Tor Exit servers <https://www.torservers.net/wiki/setup/server>:

[code]

disable debian default that pulls in recommended packages:

cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends
[/code][/quote]
This should be a separate discussion in the development forum:
https://www.whonix.org/forum/index.php/board,5.0.html

I’m having this same time issue on testers/xfce, Qubes 3.0. Every time I do whonixcheck I get this:

ERROR: Check Timezone Result: 
/etc/timezone settings different from Whonix defaults. 
timezone_file_expected_content: Etc/UTC 
timezone_file_actual_content: UTC 
ERROR: Check Timezone Result: 
Settings different from Whonix defaults. (See above!) 
You could try to fix this. 
dom0 -> Start Menu -> ServiceVM: whonix-WS-testers -> Konsole
sudo su 
echo "Etc/UTC" > /etc/timezone 
cp "/usr/share/zoneinfo/Etc/UTC" "/etc/localtime"
It is generally recommended to keep the default as per Whonix Design. [1] If you did not change timezone related settings, please report this Whonix bug. 
If you know what you are doing, feel free to disable this check. Create a file /etc/whonix.d/50_whonixcheck_user and add: 
whonixcheck_skip_functions+=" check_timezone "

As digitalcourage wrote, following these steps doesn’t help and the problem persists after reboots.

Freshly updated packages as of posting.

I should also mention that I opted to not use AppArmor so we can rule that out.

Yes, whonixcheck is wrong. This has to be done in the TemplateVM.

[hr]

qu฿enix, did you apply this in your TemplateVM?

[hr]

Since when did this happen? What are the steps to reproduce this issue? Get Whonix 11 + update from testers repository?

[hr]

The contents of /etc/timezone really is UTC, not /etc/UTC?

[hr]

Please check the contents of /var/lib/dpkg/info/qubes-whonix.postinst by running the following command.

It should return nothing. I.e. qubes-whonix.postinst should no longer modify that file.

[hr]

What are the contents of /etc/qubes/protected-files.d/qubes-whonix.conf?

Should be:

## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Not calling this file simply qubes-whonix to avoid conflicts with the in
## earlier versions auto generated file with the same name. Also one day we
## might wish to only parse config files ending with '.conf'.

## anon-(gw|ws)-dns-conf
/etc/resolv.conf

## anon-base-files
/etc/hostname
/etc/hosts

## timezone-utc
/etc/localtime
/etc/timezone

Fixed after applying to TemplateVM. facepalm

For informational purposes here are the outputs you asked for:

user@host:~$ cat /etc/timezone
UTC
user@host:~$ cat /var/lib/dpkg/info/qubes-whonix.postinst | grep -i utc
user@host:~$ cat /etc/qubes/protected-files.d/qubes-whonix.conf
## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Not calling this file simply qubes-whonix to avoid conflicts with the in
## earlier versions auto generated file with the same name. Also one day we
## might wish to only parse config files ending with '.conf'.

## anon-(gw|ws)-dns-conf
/etc/resolv.conf

## anon-base-files
/etc/hostname
/etc/hosts

## timezone-utc
/etc/localtime
/etc/timezone
user@host:~$ sudo su
root@host:/home/user# echo "Etc/UTC" > /etc/timezone
root@host:/home/user# cp "/usr/share/zoneinfo/Etc/UTC" "/etc/localtime"
cp: overwrite ‘/etc/localtime’? y
root@host:/home/user# cat /etc/timezone /etc/localtime
Etc/UTC
TZif2UTCTZif2UTC
UTC0
root@host:/home/user# cat /usr/share/zoneinfo/Etc/UTC 
TZif2UTCTZif2UTC
UTC0
root@host:/home/user# exit
exit
user@host:~$ whonixcheck
[INFO] [whonixcheck] whonix-ws-testers-TEMPLATE | Whonix-Workstation | TemplateVM | Sun Nov  8 15:49:36 UTC 2015
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] SocksPort Test: Testing Tor's SocksPort...
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: 209.133.66.214
[INFO] [whonixcheck] TransPort Test: Testing Tor's TransPort...
[INFO] [whonixcheck] TransPort Test Result: Connected to Tor. IP: 77.247.181.163
[INFO] [whonixcheck] Stream Isolation Test Result: Functional.
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updates...
x whonix_feature_blog.txt
x whonix_gateway_1.9-1_deb_news
x whonix_gateway_valid_build_versions
x whonix_gateway_valid_deb_versions
x whonix_important_blog.txt
x whonix_workstation_1.9-1_deb_news
x whonix_workstation_valid_build_versions
x whonix_workstation_valid_deb_versions
[INFO] [whonixcheck] Whonix News Result:
√ Up to date: whonix-workstation-packages-dependencies 2.8-1
√ Up to date: Whonix Build Version: 11.0.0.3.0
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get... ( Documentation: https://www.whonix.org/wiki/Update )
[INFO] [whonixcheck] Debian Package Update Check Result: No updates found via apt-get.
[INFO] [whonixcheck] Whonix APT Repository: Enabled.
When the Whonix team releases TESTERS updates,
they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
along with updated packages from the Debian team. Please
read https://www.whonix.org/wiki/Trust to understand the risk.
If you want to change this, use:
    sudo whonix_repository
user@host:~$

Started about 5 days ago.

To reproduce I believe you can just install 11, set testers repo, upgrade, and run whonixcheck.

Thanks!

fixed output with advice in Qubes when incorrect timezone is being set
https://github.com/Whonix/whonixcheck/commit/26713b4737cb7d9fe87ffe39f741ebada7f352e9

Fix will come in whonixcheck 3.8.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]