Reinstall Qubes-Whonix TemplateVMs - Stable Version
< Qubes
Contents
- 1 Introduction
- 2 Reinstall the Whonix TemplateVM
- 3 Footnotes
Introduction[edit]
On occasion it is necessary to reinstall a Whonix TemplateVM from the Qubes repository. [1] This usually applies when the template is:
- Outdated: To upgrade to a newer Point Release or testers-only version of Whonix.
- Broken: TemplateVMs can become broken and/or unbootable for a number of reasons, like when removing meta-packages that Whonix "depends" on to function properly, or after mixing packages from a later Debian release.
- Misconfigured: Not all TemplateVM modifications are easily reversible. In some cases it may be necessary to reinstall the TemplateVM.
- Compromised: Users may suspect their TemplateVM has been compromised. For further information on this topic, see: Am I Compromised?
 | If the Whonix TemplateVM is broken, misconfigured or potentially compromised, discontinue using any VMs based on the affected template. |
The obvious reason is any TemplateBasedVMs that are based on the affected TemplateVM will inherit the same issues. Disregarding this advice could lead to serious consequences. For example, a core component of the Whonix security model depends on sys-whonix forcing all traffic through Tor or blocking it. If sys-whonix was based on a TemplateVM with a misconfigured or broken firewall, the Whonix security model would be broken. [2]
Qubes has its own template reinstall guide, however this guide on the Whonix website should be preferred for re-installation of Qubes-Whonix, because this guide is Whonix specific and contains instructions how to properly set up all settings. [3]
 | Note: The root file system of the affected TemplateVM will be lost during the reinstallation process. It is recommended to create a backup of any important files first. |
You can either:
- A) Uninstall Qubes-Whonix and then Install Qubes-Whonix, OR
- B) Follow the Reinstall the Whonix TemplateVM instructions below.
Reinstall the Whonix TemplateVM[edit]
Qubes Version[edit]
|
UpdateVM Setting[edit]
Since only Fedora based UpdateVMs support --action=upgrade option for restalling the TemplateVM, it is recommended to create a dedicated Qubes dom0 UpdateVM based on Qubes Fedora template. Forcing dom0 updates over Tor is still possible by setting sys-whonix as NetVM for the UpdateVM. [4]
1. Create a new VM named dom0-updatevm.
Qubes VM Manager->VM->Create AppVM- Name and label: Name the AppVM. Don't include any personal information (if the AppVM is compromised, the attacker could run
qubesdb-read /nameto reveal the VM name). Name the AppVM something generic, for example:dom0-updatevm. - Color: Choose a color label for the UpdateVM.
- Use this template: Choose the Fedora based TemplateVM. For example:
fedora-28. - Standalone: Leave the Standalone field unchecked.
- Type: Choose the type
AppVM. - Allow networking: Choose the desired NetVM from the list. For example:
sys-whonix. - Press:
OK.
- Name and label: Name the AppVM. Don't include any personal information (if the AppVM is compromised, the attacker could run
2. Configure the NetVM setting of dom0-updatevm.
- Option A) If the user wants non-torified, clearnet Qubes dom0 updates, set the NetVM of
dom0-updatevmfor example tosys-firewall.
Qube Manager -> dom0-updatevm -> Qube settings -> Networking: sys-firewall -> OK [5]
- Option B) If the user wants torified Qubes dom0 updates, set the NetVM of
dom0-updatevmto Whonix-Gateway.
Qube Manager -> dom0-updatevm -> Qube settings -> Networking: sys-whonix -> OK [6]
3. The process of configuring the UpdateVM is now complete.
Update dom0[edit]
To launch a dom0 terminal, click the Qubes App Launcher (blue/grey "Q") and then open the Terminal Emulator (Xfce Terminal).
Upgrade Qubes dom0. [8]
sudo qubes-dom0-update
Reinstall[edit]
To launch a dom0 terminal, click the Qubes App Launcher (blue/grey "Q") and then open the Terminal Emulator (Xfce Terminal).
In the instructions below, first it will be checked if there is a newer version of the TemplateVM.
- If a newer TemplateVM version exists, install it. (
--action=upgrade) - If no newer TemplateVM version is available, reinstall the existing version. (
--action=reinstall)
Unfortunately there is no combined upgrade and reinstall command. [9]
Try upgrading the TemplateVM.
This will only work if there is a new Point Release of the TemplateVM.
Execute the following command. Replace qubes-template-package with either: qubes-template-whonix-ws-14 or qubes-template-whonix-gw-14, respectively.
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=upgrade <qubes-template-package>
For example, to reinstall and upgrade whonix-gw-14 TemplateVM.
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=upgrade qubes-template-whonix-gw-14
For example, to reinstall and upgrade whonix-ws-14 TemplateVM.
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=upgrade qubes-template-whonix-ws-14
Read the output of the above command. Possible outcomes, either:
- A) The TemplateVM gets upgraded. In that case you can skip the below section "Reinstall the TemplateVM". OR
- B) Above commands might finish relatively quickly and might say
No new updates available. In that case, proceed with the section below "Reinstall the TemplateVM". OR - C) TemplateVM upgrade is unsupported. This might happen if a non-Fedora based UpdateVM is used in conjunction with the
--action=upgradeoption. See: UpdateVM Setting for more information. OR - D) Some error such as networking issue.
Reinstall the TemplateVM.
If above --action=upgrade did not actually reinstall the TemplateVM, it means that there is no new Point Release available at this point. It however also means, that the TemplateVM has not been actually reinstalled. To actually reinstall the TemplateVM, proceed as documented below.
If you are not sure, below commands are safe in any case. Should you already have the latest TemplateVM version, in worst case it would be re-installed yet another time, which is ok.
Execute the following command. Replace qubes-template-package with either: qubes-template-whonix-ws-14 or qubes-template-whonix-gw-14, respectively.
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall <qubes-template-package>
For example, to reinstall whonix-gw-14 TemplateVM.
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-gw-14
For example, to reinstall whonix-ws-14 TemplateVM.
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-ws-14
Read the output of the above command. Possible outcomes, either:
- A) The TemplateVM got reinstalled. OR
- B) Some error such as networking issue.
Settings[edit]
Use salt for dom0 settings setup. [10]
| This step is mandatory. [11] |
sudo qubesctl state.sls qvm.anon-whonix
Optional Whonix DVM Template VM[edit]
In Qubes R4 and above, users can choose to set up a whonix-ws-14-dvm DVM Template as a base for Disposable VMs. [12]
In dom0, run.
sudo qubesctl state.sls qvm.whonix-ws-dvm
Optional Updates over Tor[edit]
TemplateVMs[edit]
To force all TemplateVM updates over Tor, [13] use salt in dom0:
sudo qubesctl state.sls qvm.updates-via-whonix
To undo this setting, modify /etc/qubes-rpc/policy/qubes.UpdatesProxy in dom0. [14]
dom0[edit]
To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [15]
Qube Manager -> System -> Global Settings -> Dom0 UpdateVM: sys-whonix -> OK
To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [16]
Qubes Manager -> System -> Global Settings -> Dom0 UpdateVM: sys-firewall -> OK
Optional: Enable AppArmor[edit]
If you are interested, click on Expand on the right.
The following steps should be completed in dom0 for both whonix-gw-14 and whonix-ws-14 TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[17] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway[edit]
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
qvm-prefs -g whonix-gw-14 kernelopts
Qubes R3.2 and later releases will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-gw-14 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the sys-whonix ProxyVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Whonix-Workstation[edit]
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
qvm-prefs -g whonix-ws-14 kernelopts
Qubes R3.2 and later releases will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-ws-14 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the anon-whonix AppVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Restart TemplateBasedVMs[edit]
Any VMs based on the reinstalled TemplateVM must be restarted to reflect the updated file system.
Update and Launch Applications[edit]
Before starting applications in the Whonix-Workstation AppVM, update both Whonix-Gateway and Whonix-Workstation TemplateVMs.
To launch an application like Tor Browser:
Qubes App Launcher (blue/grey "Q") -> Domain: anon-whonix -> Tor Browser (AnonDist)
To learn about known bugs affecting this release, see here.
Done[edit]
The process to reinstall Whonix TemplateVMs is now complete. Users should disregard the chapter Manual Reinstallation below.
Footnotes[edit]
- ↑ https://qubes-os.org/doc/reinstall-template/
- ↑ https://whonix.org/Dev/Technical_Introduction#With_more_technical_terms
- ↑ Using salt.
- ↑
sys-net->sys-firewall->sys-whonix->UpdateVMUpdateVM->sys-whonix->sys-firewall->sys-net
- ↑
qvm-prefs updatevm-name netvm sys-whonix
- ↑
qvm-prefs updatevm-name netvm sys-whonix
- ↑
If the dom0 UpdateVM is based on a template that is broken or no longer trusted, ref Template is broken, misconfigured or compromised ref an alternate UpdateVM can be used temporarily. In other words, more specifically, if the user no longer trusts its Whonix-Gateway TemplateVM (
whonix-gw-14) and/or its Whonix-Gateway ProxyVM (sys-whonix), then configure Qubes dom0 to use a different UpdateVM by applying the following steps. TODO - ↑ This is required to make sure a recent version of Qubes repository definition files, Qubes salt as well as qubes-core-admin-addon-whonix gets installed.
- ↑ qubes-dom0-update combined --action=upgrade --action=reinstall command
- ↑ Dev/Qubes#salt
- ↑ phase out manual use of qubes-dom0-update by user / replace it by salt
- ↑ https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/whonix-ws-14-dvm.sls
- ↑
- In Qubes-R4 and above, RPC/qrexec UpdatesProxy is used to update TemplateVMs
- doc/software-update-vm/#technical-details-r40
- salt
- https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/updates-via-whonix.sls
- ↑ https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/_jI2uWPPMMA#!topic/qubes-users/_jI2uWPPMMA
- ↑
Or manually set the torified UpdateVM in dom0 terminal.
qubes-prefs updatevm sys-whonix
- ↑
To revert this change in dom0 terminal, run.
qubes-prefs updatevm sys-firewall
- ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.
Enable comment auto-refresher