Download Docs News Forums

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Introduction[edit]

Occasionally, mostly since the release of Qubes R4.1, Qubes-Whonix ™ user are reporting connectivity issues as well as sdwdate issues. However, a lot issues Qubes-Whonix ™ connectivity issues are unspecific to Whonix ™. These issues are often misattributed to Whonix ™.

Even though the issue is happening inside Whonix ™, the cause is most often unrelated to Whonix ™ source code. Qubes is developed by Qubes OS Project, which is an independent entity. The is the norm in Linux distributions. To learn more about such relationships see Linux User Experience versus Commercial Operating Systems . A different issue could be a Network Obstacle.

Whonix ™ does integration work Whonix ™ integrated into the Qubes platform. To use a simple analogy, Whonix ™ stays "on the outside". Very few modifications are made to Qubes through Qubes dom0 package qubes-core-admin-addon-whonix as described for developers in the Qubes-Whonix ™ qvm-tags chapter.

Qubes R4.1 was released with some "strange" connectivity bugs such as this.

A Qubes user might think the user has updated Qubes which should include bug fixes but actually the update might not have happened due to Qubes Updater issues. Quote:

The situation is however complicated due to Qubes Updater Issues, most notably such as:

• qubes-dom0-update shows No updates available in case of network is down / qubes-dom0-update fails to notice if repositories are unreachable / network is down,
• Updating via Salt falsely claims to succeed when it actually fails and
• Replace built-in Qube Manager update functionality with the Qubes Update tool.

To remedy this kind of issue, there are a few approaches.

Qubes sdwdate specific[edit]

It is often suspected that sdwdate might be the cause.

This is unlikely. No issues are reported for Whonix ™ on other platforms such as Whonix ™ for VirtualBox which has a magnitude of more users but no (or very rare) similar connectivity bug reports.

sdwdate-gui makes Tor issues in Qubes-Whonix ™ more visible due to its graphical indication and easily accessible logs.

However, at time of writing sdwdate-gui is mostly a unsuitable connectivity troubleshooting tool.

To exclude the possibly that sdwdate is the cause, the user could attempt to disable the autostart of sdwdate.

• info: sdwdate
• try: Disable Autostart of sdwdate

Connectivity Troubleshooting Approaches[edit]

Generally[edit]

1. The user is encouraged to learn about general (unspecific to Whonix ™) Qubes Updater issues and make sure updates are really installed. See also Qubes/Update.

2. Connectivity Troubleshooting

3. Tor Connectivity Troubleshooting

Qubes sys-net workaround[edit]

Complete the following steps:

1. Shut down sys-whonix.
2. Change the sys-whonix NetVM setting from sys-firewall to sys-net.
3. Restart sys-whonix.

This procedure might help, but should not be considered a final solution. ^[1]

Please report if this workaround helped.

systemd-socket-proxyd[edit]

• systemd-socket-proxyd using 100% CPU was reported here
• systemd-socket-proxyd Failed to get remote socket: Too many open files potentially caused by VM logs filled with "host kernel: xen:grant_table: g.e x still pending" messages #7539

xen:grant_table[edit]

• Both,
  • kernel: xen:grant_table: g.e. redacted still pending
  • kernel: deferring g.e. redacted (pfn redacted)
• potentially caused by VM logs filled with "host kernel: xen:grant_table: g.e x still pending" messages #7539

suspend resume related[edit]

• VM using kernel 5.10.112 unable to resume after suspension #7554
• Windows become unresponsive for VMs that were paused before suspend #7548

Potential fix:

Properly suspend all VMs, not only those with PCI devices #473

clocksource tsc vs xen[edit]

• https://github.com/QubesOS/qubes-issues/issues/7404#issuecomment-1113299850

Future[edit]

The community is encouraged not to wait for Whonix ™ to fix these connectivity issues since this unfortunately is unlikely to happen. This is because Whonix ™ developers are not affected by these connectivity issues, these are non-reproducible issues and sometimes these are caused by already fixed Qubes bugs which are not yet fixed on Qubes due to Qubes Updater issues.

Related Qubes Bugs[edit]

• Denied: whonix.SdwdateStatus error message after DispVM has halted
  • https://github.com/QubesOS/updates-status/issues/2824 will fix most if not all Denied: whonix. alike issues
• Qubes doesn’t backup and restore qvm-tags. Therefore, sdwdate Denied messages can happen.
• Switching qube to Whonix template fails to add anon-vm qvm-tag, resulting in sys-whonix: denied: denied by policy

Unexpected autostart of sys-whonix[edit]

If using multiple Qubes-Whonix ™ VMs, the user should make sure to have followed the relevant documentation.

3 components are related here.

• A) Qubes dom0 UpdateVM setting
• B) Qubes dom0 UpdatesProxy
• C) Qubes dom0 sdwdate-gui qrexec settings.

On the Multiple Qubes-Whonix Templates wiki page take special note of the warning box in the UpdatesProxy chapter.

sdwdate-gui qrexec settings[edit]

sdwdate-gui qrexec settings fix[edit]

This wiki chapter is valid as of July 2022. It might be expired by August 2022.

A fully updated Qubes should not require any of the following steps.

1. 80-whonix.policy on github (raw) should look same as /etc/qubes/policy.d/80-whonix.policy in dom0.

2. The following files are legacy and could optionally be safely removed if step 1 was confirmed.

sudo rm /etc/qubes-rpc/policy/whonix.GatewayCommand

sudo rm /etc/qubes-rpc/policy/whonix.NewStatus

sudo rm /etc/qubes-rpc/policy/whonix.SdwdateStatus

sdwdate-gui qrexec debugging[edit]

Debugging Qubes qrexec is largely unspecific to Qubes-Whonix ™. Qubes qrexec debugging instructions from other resources such as perhaps the Qubes website should equally apply.

Note: Any commands that follow must be run inside Qube dom0.

1. Background information on qvm-tags.

See if you can make head or tail of qvm-tags developer notes. If not, skip this step.

2. Check qvm-tags of Whonix-Gateway ™ net qube.

qvm-tags sys-whonix

Expected printout should include:

anon-gateway

3. Check qvm-tags of Whonix-Workstation ™ App Qube.

qvm-tags anon-whonix

Expected printout should include:

anon-vm

4. Check qvm-tags of Whonix-Gateway ™ Template.

qvm-tags whonix-gw-16-16

Expected printout should include:

whonix-updatevm

5. Check qvm-tags of Whonix-Workstation ™ Template.

qvm-tags whonix-ws-16-16

Expected printout should include:

whonix-updatevm

6. In dom0, check, follow journallog while reproducing sdwdate-gui qrexec messages.

Look for DENIED messages.

sudo journalctl -f

See Also[edit]

• Connectivity Troubleshooting
• General Troubleshooting
• Network Obstacle
• Tor
• vanguards
• Qubes-Whonix ™ Development

Footnotes[edit]

Whonix ™ The most watertight privacy operating system in the world.

Donate

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

Dark mode

At Whonix we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.

Whonix ™ is supported by Evolution Host DDoS Protected VPS.

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Whonix ENCRYPTED SUPPORT LP, 2023

Donate

Whonix is free from corporate interest by being user funded. Thank you so much!

Scan the QR code or use the wallet address below.

 

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!