Page MenuHomePhabricator

Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on
Testing in next build required, NormalPublic

Description

http://forums.whonix.org/t/whonix-host-operating-system/3931/80

@HulaHoop

Dug around on how to modify XML settings on the fly via cli. Other options were too messy or required manual editing which are useless for scripting.

sudo virt-xml Whonix-Workstation --edit --disk readonly=on

readonly takes values on/off

I am not sure whonix-libvirt is the ideal place for detection of live mode and the adjustment of image write options. Perhaps the grub-live package is a better place.

However wouldn't doing this break VM usage since ro-mode-init is not our first choice for using it?

Details

Impact
Normal

Event Timeline

Patrick triaged this task as Normal priority.Jun 14 2019, 11:27 AM
Patrick created this task.

@Onion_Knight :

https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/109

By default, the VMs do not start because the virtual disks are not set to readonly. This is only needed when using the ISO though. Might stay this way as long as the user is correctly advised to change to set the disk to readonly mode.

I can invent a systemd unit file which detects if being run in live mode, and if so, set VM disks to readonly mode. Will add to whonix-libvirt package unless better suggestions.

For the record, this is the diff being generated.

diff --git a/qemu/Whonix-Workstation.xml b/qemu/Whonix-Workstation.xml
index edce9b1..749ae6e 100644
--- a/qemu/Whonix-Workstation.xml
+++ b/qemu/Whonix-Workstation.xml
@@ -52,7 +52,6 @@ or other application using the libvirt API.
       <driver name='qemu' type='qcow2'/>
       <source file='/var/lib/libvirt/images/Whonix-Workstation.qcow2'/>
       <target dev='vda' bus='virtio'/>
-      <readonly/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
     </disk>
     <controller type='virtio-serial' index='0'>
Patrick changed the task status from Open to testing-in-next-build-required.Aug 21 2019, 9:13 AM

Implemented.

https://github.com/Whonix/whonix-libvirt/commit/bb7773e62850fdc76b794500e6bb0c282a55bb2b

Should work on manual invocation.

sudo /lib/systemd/system/whonix-libvirt-set-live-to-readonly.service

If it gets actually automatically started by systemd at boot is untested.

Does

cat /proc/cmdline

show boot=live?

The pipe "|" in ConditionKernelCommandLine=|boot=live isn't a mistake. It means triggering condition.

In next build please try:

sudo systemctl status whonix-libvirt-set-live-to-readonly.service

It seems that https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/live-mode-to-read-only is not ran by root. Thus it cannot get the virsh list --all (returns void) nor change the VM xml configuration file.

We can already change

vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)"

to

vm_names_list="$(virsh -c qemu:///system list --all | awk '{print $2}'| grep -v Name)"

to get the VM list. But I don't know how to safely get root to run the command

virt-xml "$vm_name_item" --edit --disk readonly=on

?

Pretty sure it is run by root.

https://github.com/Whonix/whonix-libvirt/blob/master/lib/systemd/system/whonix-libvirt-set-live-to-readonly.service

That's systemd default.
(Unless User= is set which is not.)

I'll add a whoami for debugging purposes.

But maybe it shouldn't be run by root but as user user?

Also should https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/install run as root or user user I guess as user user because https://www.whonix.org/wiki/KVM does "seldom use sudo".

Also created https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/401 for it.

Yes, it should be run by root. Maybe it is run by root but somehow the changes don't take place as they should. More debugging could help.

onion_knight2 added a comment.EditedSun, Mar 15, 4:44 PM

I added whoami in the script and it confirmed it runs as root.

sudo systemctl status whonix-libvirt-set-live-to-readonly.service

is "succeeded". But it still doesn't work...

It works only if I run it manually.

EDIT: I think I know what the problem is:
whonix-libvirt-set-live-to-readonly.service fails to retrieve the domain names as it appears to be run BEFORE whonix-libvirt-install.service which sets the domain names...

Good catch! Merged.

I guess images will be set to kvm images read-only when booted in live iso mode (and probably live mode too). But once installed, images are still set to live mode. That would be probably kvm images read-only is set when run in iso live mode, cached in RAM and then installed to local disk?

How to solve this? Set to read-write when booting in non-live mode? That seems intrusive and might lead to things teh user does not want.

If that is the case, maybe at the end of calamares we need to run a script in chroot (same script with new paramater support?) that sets images in chroot (installed system on disk) to read-write?

I guess images will be set to kvm images read-only when booted in live iso mode (and probably live mode too). But once installed, images are still set to live mode. That would be probably kvm images read-only is set when run in iso live mode, cached in RAM and then installed to local disk?

Mmm I'm not sure, let me try it out to verify how it works.

If that is the case, maybe at the end of calamares we need to run a script in chroot (same script with new paramater support?) that sets images in chroot (installed system on disk) to read-write?

That seems a reasonable option, yes.

onion_knight2 added a comment.EditedMon, Mar 16, 12:19 AM

There are two read-only parameters:

When both are set Whonix VMs work (as of now with last commit) if in live-boot AND in live-mode (meaning live-mode has to be chosen for them too at grub menu when they are booted).

As expected, this behavior is currently copied over during the installation on a persistent drive (Calamares installer, I have just tried it).

As a result, once the user boots an installed version of Whonix-Host, he has to manually revert these ro paramaters to rw in order to have working Whonix VMs. Not practical/user-friendly.

I agree that a solution would probably to run some kind of script at the end of the Calamares installtion to revert ro to rw.

I agree that a solution would probably to run some kind of script at the end of the Calamares installtion to revert ro to rw.

Created:
https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/persistent-mode-to-read-write

My idea was: keep the virtualizer specific scripts in the virtualizer specific package whonix-libvirt. The (calamares) hook script which calls that script can be added to package live-config-dist.

There are two read-only parameters:

Good catch. Would have forgotten about the next one and figured out later.

I think that is only here:
https://github.com/Whonix/Whonix/blob/master/build-steps.d/1800_copy_vms_into_raw#L35


In summary, related files, implementation so far:

There might be an issue. There is a reason why write access (previously chmod 444) was removed during build in chroot, right? If I remember right, reason being setting chmod in iso live mode boot results the whole image to be modified in RAM?

Then what about hdd live mode boot? Does this issue apply there too?

I.e. we need to keep all boot modes in mind.

  • iso live mode boot
  • installed disk live mode boot
  • installed disk persistent mode boot

This implementation path might not work for installed disk live mode boot?

I think that is only here:
https://github.com/Whonix/Whonix/blob/master/build-steps.d/1800_copy_vms_into_raw#L35

Yes, my mistake. Only here.

There might be an issue. There is a reason why write access (previously chmod 444) was removed during build in chroot, right? If I remember right, reason being setting chmod in iso live mode boot results the whole image to be modified in RAM?

Yes.

Then what about hdd live mode boot? Does this issue apply there too?
This implementation path might not work for installed disk live mode boot?

I don't know. Not implemented yet. Currently installed (persistent) Whonix-Host does not have live-boot option.

To sum up, we still need a calamares hook script to run https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/persistent-mode-to-read-write at the end of installation, right?

I don't know. Not implemented yet. Currently installed (persistent) Whonix-Host does not have live-boot option.

Created for it:

To sum up, we still need a calamares hook script to run https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/persistent-mode-to-read-write at the end of installation, right?

Yes.

(Though, Whonix-Host installed live mode might not have VMs with right read-only settings.)

Do you know how to run calamares hook scripts? I think I saw this before but I can't find it anymore. Or we have to invent our own mini calamares module similar to how package calamares-settings-debian invented new calamares modules?

Do you know how to run calamares hook scripts? I think I saw this before but I can't find it anymore. Or we have to invent our own mini calamares module similar to how package calamares-settings-debian invented new calamares modules?

I don't know yet. Will look into that.

As of 15.0.1.0.7, the following behavior is observed:

  • Whonix-Host in ISO mode correctly sets the gw/ws VMs in read-only mode (kvm xml config files)
  • Whonix-Host in ISO mode correctly sets the gw/ws image files permissions in read-only mode
  • Whonix-Host in installed (persistent, post-Calamares) mode correctly unsets the gw/ws VMs read-only mode (kvm xml config files)
  • Whonix-Host in installed (persistent, post-Calamares) mode fails to set correct permissions fpor gw/ws imafge files

[1] There is currently no trigger (systemd unit file) to execute /usr/lib/whonix-libvirt/persistent-mode-to-read-write.

You could try to manually run:

sudo /usr/lib/whonix-libvirt/persistent-mode-to-read-write

Just now added [1].

https://github.com/Whonix/whonix-libvirt/blob/master/lib/systemd/system/whonix-libvirt-set-persistent-mode-to-read-write.service

Untested. Not sure ConditionKernelCommandLine=!boot=live is going to work.

The exclamation mark ! hopefully means "do this only if boot=live kernel command line is not set".