Merged. Requires testing when new test images get available.

https://github.com/Whonix/shared-folder-help/pull/1
https://github.com/Whonix/shared-folder-help/pull/2
https://github.com/Whonix/shared-folder-help/pull/3
https://github.com/Whonix/shared-folder-help/pull/4

Yes, AppArmorProfile= is >= Debian version 9 codename Stretch only.

Progress information on this feature in Debian:

Jessie has systemd 215, meaning this *should* be in there. If its not working its probably a bug.

Looks like this option is not implemented.
Added

AppArmorProfile=/etc/apparmor.d/usr.sbin.cpfpd

in control-port-filter-python.service. It works as expected.
But with a typo

AppArmorProfile=/etc/apparmor.d/usr.sbin.cpf

It still works. sudo service control-port-filter-python status reports active (running), and the process is still enforced.

What's the ApparmorProfile= option good for?

Not required. T342 functional.

OK I edited my comment and added those in under the Unit section.

How to find out? Look manually into /etc/init.d/virtualbox-guest-utils
(or systemd unit files if it had those) and/or 'grep -i provides
/etc/init.d/virtualbox-guest-utils'.

What is the name of the systemd vbox guest additions service so I can add it? KVM does not rely on spice or a guest additions equivalent to share folders.

• In section [Unit] it should probably use After= something. I.e. make it run after VBox / KVM guest additions.
• debian/rules modifications
• debian/control modifications
• use /lib/systemd/system/
• commit to shared-folder-help package
• build package, test if it actually works

Great news! automatic shared folders is now achieved :D

I don't think you need a separate script. Instead of running a single
line script, you could try running the mount command directly from the
systemd unit file.

Ok I see what you're talking about.

HulaHoop (HulaHoop):

A solution you probably won't like is patching the fstab file directly.

A solution you probably won't like is patching the fstab file directly.

This option is dead because of some rare bug. There are only 4 search results for it and none of the situations really applies to our setup here.

How far I've gone:
I managed to debug errors until I corrected the parameters in the unit files so they should be correct. The remaining error has something to do with the 9p kernel module and I'm not sure where to go from here.

Nice. Much better than manually running mount from systemd.

Excellent example of shared folder mounting with systemd files in Arch documentation. It will take changing them from vmware to suit KVM and drop them in the same paths for testing:

If the manual mount command that does not involve /etc/fstab, i.e. mount -t 9p -o trans=virtio shared /mnt/shared -oversion=9p2000.L work for you in terminal, then a systemd unit file could do the same. Also without requiring /etc/fstab.

systemd can understand mount entries but they still have to be specified in /etc/fstab which won't solve anything.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666163 says fstab.d support has been removed. Not a great long term solution.

fstab.d should be available in the libmount version in Jessie:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666163

https://github.com/nrgaway/qubes-whonix/pull/10

Fixed in Whonix 10.0.0.2.3.

systemd unit: added 'Before=graphical.target' and 'Before=getty.target' - https://phabricator.whonix.org/T106:
https://github.com/Whonix/msgcollector/commit/ab24bd261d8ac2027f6a3ad85da4b4a3d416b044

Using sd_notify for shell scripts seems difficult to not much benefit. Not doing that. Patches welcome.

systemd unit: added 'TimeoutSec=30' and 'Restart=always' - https://phabricator.whonix.org/T311:
https://github.com/Whonix/whonixcheck/commit/eccbb43021ace3a9d2144c63e1a3c99571006701

Tested by placing /lib/systemd/system/tor.service from https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in (removed spaces).

fixed 'insserv: script tor.anondist-orig: service tor already provided!' warning during upgrades - https://phabricator.whonix.org/T303:
https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/12691426c9f0bfd561ce369e90158b9dcd1132ae

In T315#4975, @nrgaway wrote:

I don't consider enable SystemdUnit hacks if there are no other deb-installer solutions to ensure a proper state.

I don't consider enable SystemdUnit hacks if there are no other deb-installer solutions to ensure a proper state.

pull request...
clean mechanism to skip starting services network-manager, spice-vdagent, swap-file-creator and whonix-initializer in Qubes using /etc/systemd/system/unit.service.d directory - https://phabricator.whonix.org/T315:
https://github.com/nrgaway/qubes-whonix/pull/5

Works fine in Whonix 11.0.0.2.0-developers-only.

Fixed in Whonix 11.0.0.2.0-developers-only.

Tested restart instead of start reload before your post, working. Could not check if that solves the issue at first boot in Whonix Gateway, (tor active, exited) but I guess it does, because a manual sudo service tor restart works.

systemd unit: added 'Before=tor.service' and 'After=swap-file-creator.service' for better look and feel. - https://phabricator.whonix.org/T106:
https://github.com/Whonix/whonix-initializer/commit/0c1490942edd4c58207980785bb658afa163cb15

more work on systemd support - https://phabricator.whonix.org/T106:

• https://github.com/Whonix/sdwdate/commit/0f6e50748eaeab34f9f00ce7dfbd80e980cb2a5b
• https://github.com/Whonix/timesync/commit/b506ea4186a50bb50ae9b198deefaf2c9a7ca5d8

Probably better not. Not required. Non-standard. Conflicts are unlikely, because name of package = name of sysvinit script = name of systemd unit file.

systemd unit: added 'StandardOutput=tty' for better look and feel. - https://phabricator.whonix.org/T106
https://github.com/Whonix/swap-file-creator/commit/f49f572e5a06ed33eeacc5647f0f85751cc611b9

Improved implementation. When there is enough RAM... On 'enter': instantly start login manager. On 'ctrl + c': instantly abort and do not start login manager. On 'timeout': start login manager. Thanks to 'dh_systemd_start --no-start' we can now use 'StandardInput=tty' and 'read' instead of 'systemd-ask-password'. Now we could even implement an interactive menu at boot (that allows to configure wait time and/or disabling rads). - https://phabricator.whonix.org/T57:
https://github.com/Whonix/rads/commit/c8c94c3dfe625dee62bd0fcbe76c5480d4e94056

Doesn't look like we need one.

fix 'Tor fails after reload related to torrc DisableNetwork setting issue' by only restarting Tor, no longer trying to reload Tor - https://phabricator.whonix.org/T320:
https://github.com/Whonix/whonix-setup-wizard/commit/d5aacf5c58d5aad1c158e589b43d0dd5ccc9cc3f

Done in whonixsetup,
fix 'Tor fails after reload related to torrc DisableNetwork setting issue' by only restarting Tor, no longer trying to reload Tor - https://phabricator.whonix.org/T320
https://github.com/Whonix/whonixsetup/commit/bc8cb713430a655eb3bb8dd3f8397babce1b6d3e

In T320#4855, @Patrick wrote:

Reported a bug upstream.
Tor dies on reload when swichting to 'DisableNetwork 0' when using 'DnsPort 127.0.0.1:53':
https://trac.torproject.org/projects/tor/ticket/16161

In T304#4517, @nrgaway wrote:

The qubes-whonix-tor.service was implemented to solve the issue you were talking about where Tor would sometimes not start properly on boot.

Until upstream fixes that bug and until their fix landed in deb.torproject.org, which will take a while... Our options are:

Reported a bug upstream.
Tor dies on reload when swichting to 'DisableNetwork 0' when using 'DnsPort 127.0.0.1:53':
https://trac.torproject.org/projects/tor/ticket/16161

Updated ticket description with instructions on how to reproduce this issue.

more work on systemd support - https://phabricator.whonix.org/T106:
https://github.com/Whonix/timesync/commit/0a76d86a8e37ae9691374da69bdef452b6def7cc

bug report,
deb-systemd-helper fails to enable systemd units when using 'WantedBy = ' with spaces:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786418

Judging by the system man pages that do not use spaces and info from a systemd contributor on systemd IRC, no spaces should be used.

I guess just not using spaces would be the way to go. I used to not use spaces, but then added them as it seems like that should be supported and works with systemd, just not the deb-systemd-helper

In T316#4773, @nrgaway wrote:

That's a nasty upstream bug for deb-systemd-helper. You would have thought that would have been fixed for Jessie stable release.

That's a nasty upstream bug for deb-systemd-helper. You would have thought that would have been fixed for Jessie stable release. Do you know if there is a reported issue on it upstream?

In T316#4749, @Patrick wrote:

pull request against @nrgaway/qubes-whonix,
systemd unit file remove spaces fix/workaround:
https://github.com/nrgaway/qubes-whonix/pull/3

This is fixed, but there is a similar outstanding issue. Created T320 for it.

This is fixed in 11.0.0.1.8-developers-only.

Quoting myself.

pull request against @nrgaway/qubes-whonix,
systemd unit file remove spaces fix/workaround:
https://github.com/nrgaway/qubes-whonix/pull/3

All these changes are available in 11.0.0.1.8-developers-only. Now testing a build.

For reference, this is what I used for debugging.

systemd unit: workaround/fix, removed spaces from 'WantedBy = ', likely bug in 'deb-systemd-helper' that prevents enabling the service by default - https://phabricator.whonix.org/T316
systemd unit: workaround/fix, removed spaces, likely bug in 'deb-systemd-helper' that prevents enabling the service by default - https://phabricator.whonix.org/T316

• https://github.com/Whonix/bootclockrandomization/commit/0a15a20467e1ef33307435fa2a7b415f940955d9
• https://github.com/Whonix/bootclockrandomization/commit/faa7fa520679f1beb3401d4dbceb288c57e84660
• https://github.com/Whonix/msgcollector/commit/4503b5e9f92a0af8e473f2ff5dbc8a0001c0de92
• https://github.com/Whonix/msgcollector/commit/6640b8f8816df633af8d339769127d4912cf6ba4
• https://github.com/Whonix/sdwdate/commit/fb1480d8ee7ba130579555f43944608b4fea2f34
• https://github.com/Whonix/swap-file-creator/commit/f3187350233c4c87ab1bddc7db2734d97efee237
• https://github.com/Whonix/timesanitycheck/commit/f9d8ceec88b87ba648d5231504dfaf145e8c7bf6
• https://github.com/Whonix/whonixcheck/commit/2a72ec4348ab1ba4ac718d4e4be25b105292dc7c
• https://github.com/Whonix/timesync/commit/0f344ca1363682aa75a23c1bc2732732f331bd10

Looks like a bug in deb-systemd-helper.

Asked on debian systemd mailing list.
systemd unit functional, but not enabled by default issue:
https://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2015-May/007271.html

The original issue of this ticket is solved for now as of 11.0.0.1.7-developers-only. The Tor daemon is automatically started on first boot.

Created a minimal package to reproduce this issue on a plain Debian jessie system:
https://github.com/adrelanos/hellodaemon

Good point! That will help. I'll be comparing those packages. Preferably we can keep packages systemd-only.

systemd unit: added 'Before=control-port-filter-python.service:
https://github.com/Whonix/whonix-initializer/commit/ace6738ef5ebb00ac5bc645d80577011b873e506

For information, tried it out of curiosity some time ago. control-port -filter-python is working with systemd only (control-port-filter-python removed from /etc/init.d).