HowTo: Install the Testers-Only Version of Qubes-Whonix ™

From Whonix
< Qubes‎ | Install
Jump to navigation Jump to search




Introduction[edit]

To install the stable version instead, see HowTo: Install the Stable Version of Qubes-Whonix ™.

Let's test these templates!

forum discussion

FREE

Notices[edit]

Table: Qubes-Whonix ™ 16 Release Notices

Notice Description
Qubes Version Support
  • Qubes R4.0: Supported.
  • Qubes R4.1: Qubes-Whonix - any version - for Qubes R4.1 is not yet supported by Whonix ™ developers. Follow this ticket for current status and updates.
Footnotes

Novice or intermediate users can generally ignore footnotes (like 1) unless experiencing difficulties or having questions. See also introduction chapter Whonix ™ Footnotes and References.

Issues

In case technical issues are experienced such as broken dom0, broken qubes-dom0-update are Qubes issues and unspecific to Whonix ™ and should therefore be either reported to qubes-issues, or added as a comment to an existing issue there (if appropriate). This is further elaborated in What to post in this Qubes-Whonix forum and what not.

The instructions on this wiki page have bad usability. These are mostly out of control of the Whonix ™ project. See footnote for more information. [1]

Qubes-Whonix ™ 15 to Qubes-Whonix ™ 16 Release Upgrade This is a notice for users who currently have Qubes-Whonix ™ 15 installed.

If Qubes-Whonix ™ 15 is installed and you want to get Qubes-Whonix ™ 16, there is no need to uninstall Qubes-Whonix ™ 15 before proceeding according to the instructions on this wiki page. This is because the new templates (whonix-ws-16, whonix-gw-16) will be installed alongside the old templates (whonix-ws-15, whonix-gw-15).

In this case, App Qubes that were previously configured to use Qubes-Whonix ™ 15 templates will keep using them -- the Templates of any App Qubes are not automatically changed to the newly installed Qubes-Whonix ™ 16 templates. This is a Qubes default and unspecific to Qubes-Whonix ™. [2] Therefore, a manual change must be applied to App Qubes settings by the user. The rationale is to prevent unexpected changes of an App Qube's Template without the user's consent. [3]

After the Qubes-Whonix ™ installation has finished, it is recommended to manually change the setting of any App Qubes still using Qubes-Whonix ™ 15 Templates to the Qubes-Whonix ™ 16 Templates. [4]

A wholly different, alternative option is to ignore all the advice on this wiki page and instead perform a Release Upgrade according to the Release Upgrade Whonix ™ 15 to Whonix ™ 16 instructions.

Preexisting Qubes-Whonix ™ 16 Installations

This is a notice for users who already have Qubes-Whonix ™ 16 installed.

If any user data was stored in Qubes-Whonix ™ VMs, before re-installation, back up any existing data.

If you are already running Qubes-Whonix ™ 16, it must be uninstalled before a complete re-installation is performed. This is also necessary when Qubes-Whonix ™ 16 is bundled as part of future Qubes releases, and auto-configuration is selected during the installation.

Choose re-installation options A) OR B). (listed in order of preference)

Installation[edit]

Remove Old Versions[edit]

Table: Qubes-Whonix ™ 16 Release Notices

Notice Description
Qubes Version Support
  • Qubes R4.0: Supported.
  • Qubes R4.1: Qubes-Whonix - any version - for Qubes R4.1 is not yet supported by Whonix ™ developers. Follow this ticket for current status and updates.
Footnotes

Novice or intermediate users can generally ignore footnotes (like 1) unless experiencing difficulties or having questions. See also introduction chapter Whonix ™ Footnotes and References.

Issues

In case technical issues are experienced such as broken dom0, broken qubes-dom0-update are Qubes issues and unspecific to Whonix ™ and should therefore be either reported to qubes-issues, or added as a comment to an existing issue there (if appropriate). This is further elaborated in What to post in this Qubes-Whonix forum and what not.

The instructions on this wiki page have bad usability. These are mostly out of control of the Whonix ™ project. See footnote for more information. [5]

Qubes-Whonix ™ 15 to Qubes-Whonix ™ 16 Release Upgrade This is a notice for users who currently have Qubes-Whonix ™ 15 installed.

If Qubes-Whonix ™ 15 is installed and you want to get Qubes-Whonix ™ 16, there is no need to uninstall Qubes-Whonix ™ 15 before proceeding according to the instructions on this wiki page. This is because the new templates (whonix-ws-16, whonix-gw-16) will be installed alongside the old templates (whonix-ws-15, whonix-gw-15).

In this case, App Qubes that were previously configured to use Qubes-Whonix ™ 15 templates will keep using them -- the Templates of any App Qubes are not automatically changed to the newly installed Qubes-Whonix ™ 16 templates. This is a Qubes default and unspecific to Qubes-Whonix ™. [6] Therefore, a manual change must be applied to App Qubes settings by the user. The rationale is to prevent unexpected changes of an App Qube's Template without the user's consent. [7]

After the Qubes-Whonix ™ installation has finished, it is recommended to manually change the setting of any App Qubes still using Qubes-Whonix ™ 15 Templates to the Qubes-Whonix ™ 16 Templates. [8]

A wholly different, alternative option is to ignore all the advice on this wiki page and instead perform a Release Upgrade according to the Release Upgrade Whonix ™ 15 to Whonix ™ 16 instructions.

Preexisting Qubes-Whonix ™ 16 Installations

This is a notice for users who already have Qubes-Whonix ™ 16 installed.

If any user data was stored in Qubes-Whonix ™ VMs, before re-installation, back up any existing data.

If you are already running Qubes-Whonix ™ 16, it must be uninstalled before a complete re-installation is performed. This is also necessary when Qubes-Whonix ™ 16 is bundled as part of future Qubes releases, and auto-configuration is selected during the installation.

Choose re-installation options A) OR B). (listed in order of preference)

Update dom0[edit]

Launch a dom0 terminal.
Click the Qubes App Launcher (blue/grey "Q")Open the Terminal Emulator (Xfce Terminal)

Qubes-whonix1.png

Upgrade Qubes dom0. This step is mandatory. [9]

sudo qubes-dom0-update

Configure salt using Qubes dom0 Community Testing Repository[edit]

Info Testers only.

If you are an interested tester, click on Expand on the right.

The following command will configure Qubes dom0 salt to use qubes-templates-community-testing for downloading Whonix ™. [10]

sudo qubesctl top.enable qvm.whonix-testing pillar=true

The following steps to enable the qubes-templates-community-testing repository should no longer be required. Please report if these steps were necessary for you.

If you are an interested tester, click on Expand on the right.

1. Enable qubes-templates-community-testing repository.

View the Qubes Templates .repo file.

cat /etc/yum.repos.d/qubes-templates.repo

2. Ensure the file contains [qubes-templates-community-testing].

The following text should be included. 

[qubes-templates-community-testing]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
enabled = 0
fastestmirror = 1
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-templates-community

3. Fix any missing sections.

If the [qubes-templates-community-testing] section is missing, then the user has probably already modified the file. In this case dnf [11] preserves user changes by saving updates to /etc/yum.repos.d/qubes-templates.repo.rpmnew [12] instead of overwriting the file. Since the .repo.rpmnew file is ignored by qubes-dom0-update, the .repo file must be manually updated.

Either:

  • Manually add the changes from .repo.rpmnew to the .repo file; or
  • Overwrite the .repo file with the .repo.rpmnew file:
    • sudo cp /etc/yum.repos.d/qubes-templates.repo.rpmnew /etc/yum.repos.d/qubes-templates.repo
    • And then manually add back necessary changes. If the command fails because /etc/yum.repos.d/qubes-templates.repo.rpmnew does not exist, then the user probably has [qubes-templates-community-testing] already.

Adjust Whonix ™ Version Number[edit]

Verify whonix_version is 16.

If the previous sudo qubes-dom0-update was completed, it should not be necessary to verify the version number. However, this is mentioned because many users fail to update dom0 packages beforehand.

In dom0. View contents of file /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja.

sudo cat /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja

Example output:

{% set whonix_version = salt['pillar.get']('qvm:whonix:version', '16') %} {% set whonix_repo = salt['pillar.get']('qvm:whonix:repo', '[omitted for brevity]') %}

If it shows something else, then Qubes dom0 is outdated. In that case, it is not possible to continue. [13] [14]

Download Whonix ™ Templates and Configure sys-whonix and anon-whonix[edit]

Info Note: This downloading procedure can take a long time to finish. Fast Internet connections take only a few minutes, while slow connections can take twenty minutes or more (it is far slower over Tor).

Download both Whonix-Gateway ™ and Whonix-Workstation ™ Templates.

In dom0, run. [15]

sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-whonix-gw-16 qubes-template-whonix-ws-16

Configure sys-whonix and anon-whonix safely. [16]

In dom0, run. [17]

sudo qubesctl state.sls qvm.anon-whonix

Refer to the footnotes for troubleshooting tips. [18]

Optional: Whonix ™ DisposableVM Template VM[edit]

In Qubes R4 and above a whonix-ws-16-dvm Disposable Template can optionally be set up as a base for Disposables. [19]

In dom0, run.

sudo qubesctl state.sls qvm.whonix-ws-dvm

Optional: Updates over Tor[edit]

Templates[edit]

To force all Template updates over Tor, use qubesctl in dom0. [20]

sudo qubesctl state.sls qvm.updates-via-whonix

To undo this setting, modify /etc/qubes-rpc/policy/qubes.UpdatesProxy in dom0. [21] See also How-to: Fix dom0 Qubes-Whonix ™ UpdatesProxy Settings.

dom0[edit]

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [22]

  • Qube ManagerSystemGlobal SettingsDom0 UpdateVM: sys-whonixOK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [23]

  • Qubes ManagerSystemGlobal SettingsDom0 UpdateVM: sys-firewallOK

Optional: Enable AppArmor[edit]

If you are interested, click on Expand on the right.

The following steps should be completed in dom0 for both whonix-gw-16 and whonix-ws-16 Templates. [24] After these settings are applied to the Whonix ™ templates, the sys-whonix (ProxyVM) and anon-whonix (App Qube) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix App Qubes to benefit from the new kernel parameters. [25] It is also important to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-gw-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example.

qvm-prefs -s whonix-gw-16 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-gw-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-ws-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example.

qvm-prefs -s whonix-ws-16 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-ws-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the anon-whonix App Qube and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Update and Launch Applications[edit]

Before starting applications in the Whonix-Workstation ™ App Qube, update both Whonix-Gateway ™ and Whonix-Workstation ™ Templates.

To launch an application like Tor Browser:

  • Qubes App Launcher (blue/grey "Q")Domain: anon-whonixTor Browser (AnonDist)

Additional Information[edit]

It is recommended to refer to these additional references:

Footnotes[edit]

  2. This is also true for other distribution Templates. For example, users of the Qubes debian-10 Template will not have all their App Qubes updated to the new debian-11 Template by default when it is downloaded.
  3. For example, this could result in breakage if custom-installed applications in the old Template were not available in the new Template.
  6. This is also true for other distribution Templates. For example, users of the Qubes debian-10 Template will not have all their App Qubes updated to the new debian-11 Template by default when it is downloaded.
  7. For example, this could result in breakage if custom-installed applications in the old Template were not available in the new Template.
  9. This is required to make sure Older, similar references:
  11. Which is invoked by qubes-dom0-update.
  12. Note the file extension .repo.rpmnew.
  13. Testers-only: It should not be necessary to manually update that file because the Qubes dom0 stable package should have updated it already. If it didn't, then the cause is general issues unspecific to Whonix ™.

    1. In dom0 open file whonix.jinja with root rights.

    sudo nano /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja

    2. Change 15 to 16.

    3. Save the file.

  14. The following Qubes issues are for developers understanding, reference only:
  15. The following qubes-dom0-update command is:
    • Optional.
    • Useful because it has a progress indicator while the subsequent qubesctl command does not. (Qubes feature request: add salt download progress indicator) It very confusing to have a long running download command with progress bar, specifically over Tor.
    • Insufficient by itself - the subsequent qubesctl command that follow is mandatory as per phase out manual use of qubes-dom0-update by user / replace it by salt and Dev/Qubes#salt.
    • --enablerepo=qubes-templates-community:
      • --enablerepo=qubes-templates-community can be omitted if Qubes Community Templates Repository is already enabled in dom0.
      • Qubes Community Templates Repository should already be enabled as per Qubes default unless disabled by user, restored Qubes-Whonix ™ from backup or some other edge case.
      • Recommending to type --enablerepo=qubes-templates-community is bad usability since users cannot copy from their VM browser where they are most likely reading this to dom0. But too many people reported this issue. had to enable Qubes templates community repository
      • If Qubes Community Templates Repository is not enabled in dom0, explicitly add --enablerepo=qubes-templates-community or enable through editing dom0 file /etc/yum.repos.d/qubes-templates.repo.

    In dom0.

    1. Open file /etc/yum.repos.d/qubes-templates.repo in a text editor with root rights.

    sudo nano /etc/yum.repos.d/qubes-templates.repo

    2. In section [qubes-templates-community], add the following.

    enabled = 1

    3. Save.

    4. Done.

    Qubes Community Templates Repository has been enabled. Command line parameter --enablerepo=qubes-templates-community should be no longer required.

    5. Report.

    Please report if step this was necessary for you!

  17. No progress indicator is shown. Qubes feature request: add salt download progress indicator
  18. If qubesctl still does not work, try shutting down Qubes OS and rebooting the machine. Please report if this step was necessary for you!
  19. For developers only, link to related source code file: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/whonix-ws-16-dvm.sls
  21. How to change TemplateVM update method from Whonix to just another appvm?
  22. Or manually set the torified UpdateVM in dom0 terminal.
    qubes-prefs updatevm sys-whonix
  23. To revert this change in dom0 terminal, run.
    qubes-prefs updatevm sys-firewall
  24. Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Whonix ™ is based on a recent enough Debian version.
  25. Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template.

Whonix ™ The most watertight privacy operating system in the world.
FREE  ·  PLUS  ·  PREMIUM Support
GNU logo Open Source Initiative logo At Whonix we believe in freedom and trust. That's why we fully support Open Source and Freedom Software. Learn more.
Whonix ™ is supported by Evolution Host DDoS Protected VPS.
Whonix is the most watertight privacy operating system in the world
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Whonix © ENCRYPTED SUPPORT LP, 2022

Please help us to improve the Whonix ™ Wikipedia Page. Also see the feedback thread.

Retrieved from "https://www.whonix.org/w/index.php?title=Qubes/Install/Testing&oldid=73924"