Testers Update instructions

DO NOT FORGET TO BACKUP (CLONE) your existing whonix templates :)

Following is the procedure I used to update a Qubes OS Release 3 whonix-gateway template from 9.6.2 to 10.0.5. I have not tested updating whonix-workstation, since I did not have a 9.6 version installed, but I would assume the same procedure as listed below could be followed verbatim.

In dom0

Backup (clone) existing whonix-gateway and whonix-workstation (max 30 chars)
qvm-clone whonix-gateway-experimental whonix-gw-backup
qvm-clone whonix-workstation whonix-ws-backup

In Whonix template-vm

Fix if you receive locale errors that may have happened during a Debian system update
sudo localedef -f UTF-8 -i en_US -c en_US.UTF-8
sudo update-locale LC_ALL=en_US.UTF-8
poweroff # Need to restart template-vm for setttings to take effect

Enable qubes TEST repo; uncomment test repos (remove the '#')
(Use vi, nano or whatever text editor you are familiar with)
sudo vi /etc/apt/sources.list.d/qubes-r3.list

• or for r2

sudo vi /etc/apt/sources.list.d/qubes-r2.list

Enable Whonix TEST repo (for access to qubes-whonix).
This step has to be run even if set previously though setup since whonix-setup-wizard pointed to the incorrect repos
sudo whonix_repository

Update package index
sudo apt-get update

IMPORTANT: Confirm qubes-whonix installation candidate is at least 0.10.0.5-1

sudo apt-cache policy qubes-whonix
qubes-whonix:
  Installed: 9.6.2-1+wheezy1
  Candidate: 0:10.0.5-1
  Version table:
     0:10.0.5-1 0
        500 http://sourceforge.net/projects/whonixdevelopermetafiles/files/internal/ developers/main amd64 Packages
 *** 9.6.2-1+wheezy1 0
        100 /var/lib/dpkg/status

Expected error messages, warnings, dialog's or prompts that require action

It should be fine to ignore any errors or warnings to do not cause dist-upgrade to fail
It is also fine to ignore a 'whonixcheck` dialog may appear with following message. Click OK.

ERROR: Virtualizer xen xen-hvm unsupported by Whonix developers! Whonixcheck aborted!
Using Virtualizer xen xen-hvm together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] 
It could be made possible, but would require more Whonix contributors. 
It may already work, but is highly experimental. 
This might endanger your anonymity. Do not proceed unless you know what you are doing. 
If you wish to ignore this warning and to continue whonixcheck anyway, you can set 
WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
in /etc/whonix.d/30_whonixcheck_default. 
Recommended action: 
- Shut down. 
- Read Whonix documentation [4]. 
- Use Whonix with either VirtualBox or Physical Isolation [5].

Select Y to to install any maintainer version of files

Configuration file `/etc/whonix.d/30_whonixcheck_default'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** 30_whonixcheck_default (Y/I/N/O/D/Z) [default=N] ?

Configuration file `/etc/apt/sources.list.d/qubes-r3.list'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** qubes-r3.list (Y/I/N/O/D/Z) [default=N] ?

Start the Whonix 10.0 upgrade

As stated above, enter Y for configuration file replacements, and Click OK if whonixcheck dialog appears
sudo apt-get dist-upgrade

Exit status may look like the following:

Errors were encountered while processing:
 timezone-utc
E: Sub-process /usr/bin/dpkg returned an error code (1)

Fix timezone installation errors

(Ignore qubes-update-check.service failed error. Will be fixed upstream)
sudo apt-get install -f

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  anon-gw-first-run-notice ksh libgtop2-7 libgtop2-common libsystemd-id128-0 libunique-3.0-0 nautilus-actions netcat-openbsd
  spice-vdagent ucspi-tcp
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up timezone-utc (3:0.8-1) ...
Job for qubes-update-check.service failed. See 'systemctl status qubes-update-check.service' and 'journalctl -xn' for details.
E: Problem executing scripts DPkg::Post-Invoke 'systemctl start qubes-update-check.service'
E: Sub-process returned an error code

Remove configuration files that were backup up by dpkg

sudo rm /etc/whonix.d/30_whonixcheck_default.dpkg-old

Disable Whonix TEST repo (select stable)

sudo whonix-setup-wizard repository

Disable qubes TEST repo; comment out test repo (Insert '#' at beginning of line)

sudo vi /etc/apt/sources.list.d/qubes-r3.list

• or for r2

sudo vi /etc/apt/sources.list.d/qubes-r2.list

Remove unneeded files

sudo apt-get autoremove

Shutdown template-vm

sudo poweroff

I am not sure it's wise telling testers to enable the developers repository. That could break badly at some point. The developers repository is a playground for me to upload and install from packages where I am not 100% certain they are not going to break the package manager.

In T288#4179, @Patrick wrote:

I am not sure it's wise telling testers to enable the developers repository. That could break badly at some point. The developers repository is a playground for me to upload and install from packages where I am not 100% certain they are not going to break the package manager.

Okay. So is the solution to move whonix-qubes to the testing repo now then? If so please do that or provide an alternative solution so we can get this tested some more.

I am satisfied with the manual upgrade procedure especially given that the experimental template did not take into consideration upgrading to major versions since I believe this is the first time I have seen where you could do that with Whonix since version 7 or 8.

Users who wish not to manually upgrade will be able to wait for a template update and just install it.

Yes. Done, migrated (copied) qubes-whonix 10.0.5-1 from developers to testers repository.

Want to post a blog post? Otherwise I guess very few will notice these instructions. Got a blog account already?

In T288#4212, @Patrick wrote:

Yes. Done, migrated (copied) qubes-whonix 10.0.5-1 from developers to testers repository.

Want to post a blog post? Otherwise I guess very few will notice these instructions. Got a blog account already?

Not yet, we may have to end up moving it to stable sooner than expected...

Does an 'apt-get dist-upgrade' in Whonix 9.6 update Whonix to 10.0? I am receiving reports of Qubes-Whonix users updates failing as of a few days ago.

I am in the process of installing the original ITL qubes-whonix-gateway-experimental to test what is actually happening. There can be 2 issues here, since some users repos will be set to use your old repo due to the whonix-setup-wizard bug, and qubes-whonix is not in that old repo as well.

Should be done testing in 30 minutes... More to come...

Link: "stable vs wheezy repository" bug T233

Does an 'apt-get dist-upgrade' in Whonix 9.6 update Whonix to 10.0?

Yes. (And that should work quite reliable, because the old package version was deprecated in whonixcheck Whonix News and users seem to upgrade. Otherwise they would panic about whonixcheck reporting them being outdated and not being able to upgrade.)

What to do if you ran a apt-get dist-upgrade not using the upgrade method above

Oh no! Your gateway will most likely be in some type of broken state, maybe some dialog's are popping up stating Using Virtualizer xen xen-hvm together with Whonix is recommended against, because it is rarely tested., timesysnc dialog seems stuck and tor is stuck at bootstrapping at 5%.

With a little bit of patience and manual intervention, we can fix things up.

First thing. Start the whonix-gateway-experimental template; we need to get tor up and running again so we can update template properly.

Open a 'gnome-teminal' or 'xterm' session to the templatevm. Either select 'terminal` from your start menu or in qubes-manager right-click the vm name, click on Run command in VM, then enter gnome-terminal or xterm.

In the template terminal type:

sudo cp -p /usr/bin/whonix_firewall /usr/bin/whonix_firewall.dist
sudo sed -i 's/## IPv4 DROP INVALID INCOMING PACKAGES POST HOOK//' /usr/bin/whonix_firewall
sudo poweroff

Now the Whonix Gateway AppVM should start properly (Don't worry about the Using Virtualizer xen xen-hvm together with Whonix is recommended against, because it is rarely tested. dialog box that may pop up; it will be taken care of once the upgrade to Whonix 10 is complete.

Now proceed with the update starting at the step labelled In Whonix template-vm in the first post listed above

This will all be sorted out once a couple of packages are moved from the testing to stable repos

Your instructions sound good. I recommend to hit the edit button for instruction posts and to copy it over to the wiki https://www.whonix.org/wiki/Qubes/Upgrade_from_9_to_10 or so. Unfortunately, phabricator uses markdown and mediawiki uses mediawiki syntax.

Can workstation templates also be upgraded that way?

What to do if you ran a apt-get dist-upgrade not using the upgrade method above

Instructions from https://phabricator.whonix.org/T288#4171 contain apt-get dist-upgrade rather than apt-get upgrade.

In T288#4229, @Patrick wrote:

Your instructions sound good. I recommend to hit the edit button for instruction posts and to copy it over to the wiki https://www.whonix.org/wiki/Qubes/Upgrade_from_9_to_10 or so. Unfortunately, phabricator uses markdown and mediawiki uses mediawiki syntax.

Argh :) We have to find someone to maintain the Qubes Whoix forum and wiki since @WhonixQubes has left us. I really don't want to be managing those parts as I prefer to spend my time coding and such related things. Maybe you can put an ad out looking to see if anyone interested in such a task.

Maybe in the mean time, we can place a link in the wiki pointing to this task as it will allow me to be notified of any issues. I have one user on Qubes mailing list confirm the upgrade procedure worked for them after a failed updated a few days ago (I added the second post for them and other users that will have that issue).

Can workstation templates also be upgraded that way?

What to do if you ran a apt-get dist-upgrade not using the upgrade method above

Instructions from https://phabricator.whonix.org/T288#4171 contain apt-get dist-upgrade rather than apt-get upgrade.

That's correct. I specified an apt-get dist-upgrade purposely. dist-upgrade will allow additional packages to be installed that are not already installed and upgrade will only allow existing packages to be upgraded. The qubes-core-agent contains additional dependencies that may not already be installed. If only an upgrade were specified I would think the newest qubes-core-agent would not install, or fail, and therefore qubes-whonix 10.0.5 would also not install since it depends on the former.

Can workstation templates also be upgraded that way? That's not clear from instructions.

In T288#4256, @nrgaway wrote:

Argh :) We have to find someone to maintain the Qubes Whoix forum and wiki since @WhonixQubes has left us. I really don't want to be managing those parts as I prefer to spend my time coding and such related things. Maybe you can put an ad out looking to see if anyone interested in such a task.

• blog post: https://www.whonix.org/blog/qubes-whonix-maintainer
• wiki random news
• forum news
• social media

In T288#4256, @nrgaway wrote:

Maybe in the mean time, we can place a link in the wiki pointing to this task as it will allow me to be notified of any issues. I have one user on Qubes mailing list confirm the upgrade procedure worked for them after a failed updated a few days ago (I added the second post for them and other users that will have that issue).

Yes.

In T288#4256, @nrgaway wrote:

That's correct. I specified an apt-get dist-upgrade purposely. dist-upgrade will allow additional packages to be installed that are not already installed and upgrade will only allow existing packages to be upgraded. The qubes-core-agent contains additional dependencies that may not already be installed. If only an upgrade were specified I would think the newest qubes-core-agent would not install, or fail, and therefore qubes-whonix 10.0.5 would also not install since it depends on the former.

Makes sense. But it not what I meant. There was a misunderstanding by me about the following sentence.

In T288#4256, @nrgaway wrote:

What to do if you ran a apt-get dist-upgrade not using the upgrade method above

To make it unambiguous, please make that:

What to do if you ran a apt-get dist-upgrade not using the upgrade instructions above

HOW TO RE-INSTALL qubes-whonix

Apply these steps within the whonix template

Re-enable Whonix test repository

sudo whonix-setup-wizard repository

Update package index

sudo apt-get update

Make sure whonix_firewall is patched

sudo sed -i 's/## IPv4 DROP INVALID INCOMING PACKAGES POST HOOK//' /usr/bin/whonix_firewall

Re-install qubes-whonix

sudo apt-get install --reinstall qubes-whonix

Re-enable Whonix stable repository

sudo whonix-setup-wizard repository

Update package index

sudo apt-get update

Shutdown both template and gateway VM

HOW TO SEE STATUS OF SOME SERVICES

sudo systemctl status qubes-whonix-tor
sudo systemctl status control-port-filter-python

Error when attempting to update in Whonix 10

There has been an issue reported in the forum (https://www.whonix.org/forum/index.php/topic,1280.0.html) that prevents a user from using apt-get to update the system due to the following error:

E: Malformed line 2 in source list /etc/apt/sources.list.d/qubes-r2.list (dist parse)
E: The list of sources could not be read.

You will need to edit the /etc/apt/sources.list.d/qubes-r2.list file manually and add in wheezy like it shows in the following example. The following example is for release 3 of Qubes, but will work for release 2 as well; just do not change the version number in the file, only add in wheezy to all the lines.

You need to be root to edit the file, so use sudo. For example, using the vi editor:
sudo vi /etc/apt/sources.list.d/qubes-r2.list

# Main qubes updates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm wheezy main
deb-src http://deb.qubes-os.org/r3.0/vm wheezy main

# Qubes updates candidates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm wheezy-testing main
deb-src http://deb.qubes-os.org/r3.0/vm wheezy-testing main

# Qubes experimental/unstable repository
#deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm wheezy-unstable main
#deb-src http://deb.qubes-os.org/r3.0/vm wheezy-unstable main

Next run an apt-get update to confirm your changes.