Page MenuHomePhabricator

check Qubes-Whonix compatilbity with Qubes 4.0
Closed, ResolvedPublic

Description

TODO:

  • test wise upgrade to Qubes R4.0
  • see if upgrading Whonix whonix-gw and whonix-ws TemplateVMs is still functional
  • see if apt-get package installation in sys-whonix / anon-whonix is still functional
  • run whonixcheck
  • check Tor Browser connectivity

See also:
https://github.com/QubesOS/qubes-issues/issues/1854#issuecomment-304536463

Details

Impact
High

Event Timeline

Patrick created this task.Jun 29 2017, 6:51 PM

Well, after a lot of work, its ALIVE!
I can update the whonix-gw and whonix-ws templates through sys-whonix proxy
whonixcheck works in sys-whonix and anon-whonix
Tor browser works in anon-whonix

The biggest problem was getting the templateVMs to update due to changes (and bugs) in Qubes R4.0

  • All Template Updates in Qubes R4.0 are hardcoded to go to sys-net. See https://github.com/QubesOS/qubes-issues/issues/3118
  • Dom0 policy needs to be updated to send to sys-whonix. Note ALL template VM updates will now go through tor (except dom0 updates)
  • torified-updates-proxy-check is incorrect. Needs to be:

curl_output="$(UWT_DEV_PASSTHROUGH="1" curl --silent --connect-timeout 10 -x "${PROXY_SERVER}" http://10.137.255.254/)" || true

  • This gets overwritten every time qubes-whonix is updated
  • After edit, restart qubes-whonix-torified-updates-proxy-check.service
Patrick added a subscriber: JasonJAyalaP.

Did you see the pull requests to the qubes-whonix package that Marek recently submitted which I then merged and uploaded to Whonix jessie-proposed-updates repository?

https://github.com/Whonix/qubes-whonix/commits/Whonix13

Could you try these please? I guess soon it's time to migrate that package into the stable jessie repository.

As for policy for updates proxy, see this: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/commit/977362ee27ccc116512fc428c0807063600655cc

It's done automatically on fresh install (rc2+), but if you update from rc1, you need to launch it manually: qubesctl state.sls qvm.whonix-gw (and same for whonix-ws).

@marmarek The salt stuff helped a lot. It does force a strict naming convention though. And becomes more difficult to add my own cloned template of whonix-ws. But I figured out how to create my salt files and it worked out.

Out of curiosity, where is the R4.0 rc2 download for fresh install?

@Patrick I was working with jessie-proposed-updates, but was getting an empty response with the curl command in the default scripts. However, either with the salt configurations above or rebooting several times, the default scripts now work without modification

Even if you don't move them to the jessie repository, it might be good to regenerate the whonix-templates with that script.

Out of curiosity, where is the R4.0 rc2 download for fresh install?

There is none yet. You can build it yourself for now...

Even if you don't move them to the jessie repository, it might be good to regenerate the whonix-templates with that script.

Will do.

jessie-proposed-updates repository merged into jessie repository and uploaded.

Patrick closed this task as Resolved.Dec 18 2017, 8:57 PM
Patrick claimed this task.

apt-get apt-transport-tor broken in Qubes R4 non-networked TemplateVMs #3403
https://github.com/QubesOS/qubes-issues/issues/3403

Besides, all other issues are sorted.