Actions

HowTo: Install the Testers-Only Version of Qubes-Whonix ™

From Whonix

< Qubes‎ | Install




Introduction[edit]

To install the stable version instead, see HowTo: Install the Stable Version of Qubes-Whonix ™.

Let's test these templates!

forum discussion [archive]

FREE

Notes[edit]

Qubes community stable templates repository:

Qubes community testing templates repository:

Installation[edit]

Qubes Version[edit]

Remove Old Versions[edit]

If you are already running any version of Qubes-Whonix ™, it must be uninstalled before a complete (re-)installation is performed. This applies to those who:

Before re-installation, back up any existing data stored in Whonix VMs.

In summary, three options are available (listed in order of preference):

  1. Uninstall Qubes-Whonix ™ and then Install Qubes-Whonix ™; OR
  2. Reinstall the Whonix TemplateVM; OR
  3. Release Upgrade Whonix 15 to Whonix 16

Update dom0[edit]

Launch a dom0 terminal.
Click the Qubes App Launcher (blue/grey "Q")Open the Terminal Emulator (Xfce Terminal)

Qubes-whonix1.png

Upgrade Qubes dom0. This step is mandatory. [1] 

sudo qubes-dom0-update

Configure salt using Qubes dom0 Community Testing Repository[edit]

Info Testers only.

If you are an interested tester, click on Expand on the right.

The following command will configure Qubes dom0 salt to use qubes-templates-community-testing for downloading Whonix ™. [2] 

sudo qubesctl top.enable qvm.whonix-testing pillar=true

The following steps to enable the qubes-templates-community-testing repository should no longer be required. Please report if these steps were necessary for you.

If you are an interested tester, click on Expand on the right.

1. Enable qubes-templates-community-testing repository.

View the Qubes Templates .repo [archive] file. 

cat /etc/yum.repos.d/qubes-templates.repo

2. Ensure the file contains [qubes-templates-community-testing].

The following text should be included. 

[qubes-templates-community-testing]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
enabled = 0
fastestmirror = 1
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-templates-community

3. Fix any missing sections.

If the [qubes-templates-community-testing] section is missing, then the user has probably already modified the file. In this case dnf [3] preserves user changes by saving updates to /etc/yum.repos.d/qubes-templates.repo.rpmnew [4] instead of overwriting the file. Since the .repo.rpmnew file is ignored by qubes-dom0-update, the .repo file must be manually updated.

Either:

  • Manually add the changes from .repo.rpmnew to the .repo file; or
  • Overwrite the .repo file with the .repo.rpmnew file: 
    • sudo cp /etc/yum.repos.d/qubes-templates.repo.rpmnew /etc/yum.repos.d/qubes-templates.repo

    • And then manually add back necessary changes. If the command fails because /etc/yum.repos.d/qubes-templates.repo.rpmnew does not exist, then the user probably has [qubes-templates-community-testing] already.

Adjust Whonix Version Number[edit]

1. In dom0 open file whonix.jinja with root rights. [5] 

sudo nano /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja

2. Change 15 to 16.

3. Save the file.


Download Whonix ™ Templates and Configure sys-whonix and anon-whonix[edit]

Ambox warning pn.svg.png Before executing the call in this section, note it can take a long time to finish. Fast Internet connections take only a few minutes, while slow connections can take twenty minutes or more (it is far slower over Tor). No progress indicator is shown, so do not interrupt the salt process once it has started or this can lead to an unstable system [archive]. [6]

The following qubesctl command [7] will:

  1. Download both Whonix-Gateway ™ and Whonix-Workstation ™ Templates.
  2. Configure sys-whonix and anon-whonix safely. [8]

In dom0, run. 

sudo qubesctl state.sls qvm.anon-whonix

Refer to the footnotes for troubleshooting tips. [9] [10] [11]

Optional: Whonix ™ DisposableVM Template VM[edit]

In Qubes R4 and above a whonix-ws-16-dvm Disposable Template can optionally be set up as a base for Disposables. [12]

In dom0, run. 

sudo qubesctl state.sls qvm.whonix-ws-dvm

Optional: Updates over Tor[edit]

Templates[edit]

To force all Template updates over Tor, [13] use salt in dom0. 

sudo qubesctl state.sls qvm.updates-via-whonix

To undo this setting, modify /etc/qubes-rpc/policy/qubes.UpdatesProxy in dom0. [14] See also How-to: Fix dom0 Qubes-Whonix ™ UpdatesProxy Settings.

dom0[edit]

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [15]

  • Qube ManagerSystemGlobal SettingsDom0 UpdateVM: sys-whonixOK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [16]

  • Qubes ManagerSystemGlobal SettingsDom0 UpdateVM: sys-firewallOK

Optional: Enable AppArmor[edit]

If you are interested, click on Expand on the right.

The following steps should be completed in dom0 for both whonix-gw-16 and whonix-ws-16 Templates. [17] After these settings are applied to the Whonix ™ templates, the sys-whonix (ProxyVM) and anon-whonix (App Qube) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix App Qubes to benefit from the new kernel parameters. [18] It is also important to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters. 

qvm-prefs -g whonix-gw-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example. 

qvm-prefs -s whonix-gw-16 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again). 

qvm-prefs -g whonix-gw-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the sys-whonix ProxyVM and confirm AppArmor is now active. 

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters. 

qvm-prefs -g whonix-ws-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example. 

qvm-prefs -s whonix-ws-16 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again). 

qvm-prefs -g whonix-ws-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the anon-whonix App Qube and confirm AppArmor is now active. 

sudo aa-status --enabled ; echo $?

The output should show.

0

Update and Launch Applications[edit]

Before starting applications in the Whonix-Workstation ™ App Qube, update both Whonix-Gateway ™ and Whonix-Workstation ™ Templates.

To launch an application like Tor Browser:

  • Qubes App Launcher (blue/grey "Q")Domain: anon-whonixTor Browser (AnonDist)

Additional Information[edit]

It is recommended to refer to these additional references:

Footnotes[edit]

  3. Which is invoked by qubes-dom0-update.
  4. Note the file extension .repo.rpmnew.
  6. add salt download progress indicator [archive]
  9. If an error message appears stating that qubesctl does not exist or the command is not recognized, then it is necessary to enable the testing repository and install salt. 
    sudo qubes-dom0-update --best --allowerasing --enablerepo=qubes-dom0-current-testing qubes-mgmt-salt-dom0-virtual-machines

    Please report if this step was necessary for you!

  10. Sometimes the Qubes Community Templates repository must also be enabled by editing Qubes' dom0 repository definition files.

    In dom0.

    1. Open file /etc/yum.repos.d/qubes-templates.repo with root rights. 

    sudo nano /etc/yum.repos.d/qubes-templates.repo

    2. In section [qubes-templates-community], add the following. 

    enabled = 1

    3. Save.

    Please report if step this was necessary for you!

  11. If qubesctl still does not work, try shutting down Qubes OS and rebooting the machine. Please report if this step was necessary for you!
  12. https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/whonix-ws-16-dvm.sls [archive]
  14. https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/_jI2uWPPMMA#!topic/qubes-users/_jI2uWPPMMA [archive]
  15. Or manually set the torified UpdateVM in dom0 terminal. 
    qubes-prefs updatevm sys-whonix

  16. To revert this change in dom0 terminal, run. 
    qubes-prefs updatevm sys-firewall

  17. Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Whonix ™ is based on a recent enough Debian version.
  18. Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template [archive].
Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Qubes/Install/Testing&oldid=66311"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information