Recovery

From Kicksecure
Jump to navigation Jump to search

The goal of this wiki page is to provide the user with knowledge for higher system reliability, robustness, increases uptime, backup, restoration, recovery and repair skills.

Introduction[edit]

It is prudent to acquire system recovery skills prior to an eventual later grave issue such as an unbootable VM or even unbootable host operating system, data loss or similar. This is because naturally for most users once they are affected by a grave issue, the mind goes into "issue solving mode", which can be stressful and less productive, specifically when it is currently a bad time to acquire these skills due to other more pressing priorities. By learning these skills in advance, one can the skills during a more appropriate time in in a much more positive, relayed environment which might potentially greatly increase a user's ability and lower the time required to fix their broken system, should this happen in the future.

Useful Skills[edit]

Useful Habits[edit]

  • Keep the log of any system upgrades as well as software installation processes.
  • Keep one or multiple root virtual terminal tabs in a terminal emulator open during actions which might break to unbootable systems, data loss or other issues during software installation or upgrades. The same goes for one or multiple root virtual consoles. This advice (for higher ability to easily recover from issuing gaining root) conflicts with the general security advice from the root wiki page (for better security).

Recovery Mode[edit]

If an error occurs that prevents Kicksecure from booting, it is possible to try and boot Kicksecure in recovery mode to fix the problem. It is advisable to learn how to use recovery mode while everything is still functional in case of future issues.

  1. After powering on a Kicksecure, you will see the virtual BIOS for a second, then the grub boot menu. The grub boot menu is easily identified by the first line of text which begins with GNU GRUB.
  2. Use the arrow keys to navigate and select Advanced Options for Kicksecure GNU/Linux.
  3. Press Enter.
  4. Choose the second option which at the end displays (recovery mode).
  5. Press Enter.
  6. Somewhere in the output, a message similar to the following will appear (it might be entangled with other debug output):

    Give root password for maintenance (Or press control + d to continue):

  7. Enter the root password.
  8. While typing, no asterisk symbols (*) will appear; the password must be typed "blind". [2]
  9. Press Enter.
  10. The default keyboard layout will be en-US. To change this setting, see: Keyboard Layout.
  11. Enter exit to continue booting or poweroff or reboot.

TODO: Explore whether networking is possible and how to transfer files out of the VM.

Virtual Consoles[edit]

An easier and more lightweight solution as alternative to recovery mode might be virtual consoles. If the graphical user interface is no longer starting, login to a virtual console might still be possible.

1. Prerequisite knowledge: Virtual Consoles.

2. Try to login in a virtual console in a different, still functional VM (virtual machine) as an exercise.

3. If that works, try login to virtual console in the broken VM.

Hard Drive Recovery[edit]

If no data needs be recovered, a complete re-installation might be easier.

A) If the host got unbootable due to hard drive issues:

  1. Damage control. Stop using the hard drive. This is because further use might add further damage.
  2. Make a full 1:1 raw clone of the hard drive.
  3. Data recovery. Unspecific to Kicksecure.

B) If a VM got unbootable due to hard drive issues:

Stop using the VM. This is because further use might add further damage.

  1. Create a full raw copy of the hard drive.
  2. Make a full 1:1 raw clone of the VM.
  3. Data recovery. Unspecific to Kicksecure.

Unlock User Account: Excessive Wrong Password Entry Attempts[edit]

See: Unlock User Account: Excessive Wrong Password Entry Attempts.

Reset User Account Password[edit]

See Reset User Account Password.

Chroot[edit]

If an error occurs that prevents Kicksecure from booting, it is possible to chrootarchive.org into Kicksecure from a live CD to fix the problem.

A disk image must be downloaded for this purpose -- Debian Live imagesarchive.org or Arch ISOarchive.org are useful options for this procedure.

VirtualBox[edit]

In VirtualBox, navigate to the VM storage settings. At the second controller, click the optical disk icon and add the disk image.

In the Motherboard settings, move the optical disk component to the top of the boot order, press OK and start the VM.

KVM[edit]

In virt-manager, click on the VM, click the settings icon at the top and click "Add Hardware". In "Storage", change the device type to "CDROM device" and add the disk image. Click "Finish" and at the boot options setting, move the CDROM to the top of the boot order.

Kicksecure[edit]

This procedure is undocumented and unspecific to Kicksecure. See unspecific.

Booting into the Live CD[edit]

After booting into the Live CD, follow these steps.

1. List the available drives and partitions.

fdisk -l

2. Mount the partition.

mount /dev/sda1 /mnt

Replace "/dev/sda1" with the drive partition name.

3. Chroot into the partition.

chroot /mnt /bin/bash

4. Optional: If the PATH variable is incorrect, it can be fixed with the following command.

source /etc/profile

Serial Console[edit]

VirtualBox[edit]

Preparation[edit]

Host Preparation[edit]

Install socat on the host operating system. The following steps apply to Linux distributions.

Install socat. To accomplish that, the following steps A. to D. need to be done.

A. Update the package lists.

sudo apt update

B. Upgrade the system.

sudo apt full-upgrade

C. Install the socat package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends socat

D. Done.

The procedure of installing socat is complete.

It is advised to research these using a non-Kicksecure VM such as Debian bookworm and learn it in a generic way which could then also be applied to Kicksecure.

VM Preparation[edit]

Inside the Kicksecure virtual machine where you want to enable the serial console, install the serial-console-enable package.

Install serial-console-enable. To accomplish that, the following steps A. to D. need to be done.

A. Update the package lists.

sudo apt update

B. Upgrade the system.

sudo apt full-upgrade

C. Install the serial-console-enable package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends serial-console-enable

D. Done.

The procedure of installing serial-console-enable is complete.

(Installed by default would be nice but it is not installed by default due to issue. TODO: add reference)

Read Only Serial Console[edit]

This option is very useful for capturing diagnostic output from a virtual machine. It allows a log of everything written to the kernel console to be obtained -- all console output is written to a plain text file from boot until shutdown. The logfile persists after VM shutdown, but is overwritten after the VM is shutdown and powered on again.

1. Enable the serial ports option. 3 Kicksecure VM settingsSerial PortsTick enable

Configure the following settings:

  • Port Number: COM1 (default)
  • Port Mode: Raw File
  • Path/Address: /home/user/vbox-raw-file

2. View the file with a text editor.

Any text editor can be used for this purpose. For example to view the file with mousepad, run.

mousepad /home/user/vbox-raw-file

3. Optional: View the file as it is being appended to from a terminal emulator.

The logfile is also compatible with other standard linux utlitites such as tail. To view it as it is being written, run.

tail -f /home/user/vbox-raw-file

4. Retain the file contents.

After VM shutdown it may be useful to retain its contents by copying the vbox-raw-file elsewhere to make it a persistent log file. If this is desirable, run.

cp /home/user/vbox-raw-file /home/user/vbox-console-log

Interactive Serial Console[edit]

This procedure does not yet work during the grub boot menu.

1. Enable serial ports on the host.

Kicksecure VM settingsSerial PortsTick enable

Configure the following settings:

  • Port Number: COM1 (default)
  • Port Mode: Host Pipe
  • Option: uncheck Connect to existing pipe/socket
  • Path/Address: /home/user/vbox-socket-file

[3] [4]

2. Connect to the relevant unix domain socket file.

On the host, run the following socat command to connect to the unix domain socket file which is connected to the operating system running inside the virtual machine. [5]

socat - UNIX-CONNECT:/home/user/vbox-socket-file

Depending on when the above command is run, nothing might appear. The reason is an interactive serial console will only show messages once connected to the serial console; old messages cannot be viewed that way. If the above command is run during early boot, then verbose messages will appear during boot. However, if you press Enter that should result in the virtual console asking for authentication.

3. Log in to the Kicksecure session.

Press Enter. The following prompt will appear.

host login:

Do not enter your host login username! Enter your Kicksecure user login name, which is most likely user. Press Enter. The following prompt will appear.

Password:

Enter the password for that user account; see Default Passwords. Press Enter.

Warning: the password will not be hidden by asterisk ("*") symbols. In other words, the password will be written in cleartext and could be read by anyone looking over your shoulder.

Also note that root logins are not possible by default.

Forum Discussion[edit]

https://forums.whonix.org/t/serial-console-in-virtualbox/8021archive.org

KVM[edit]

See KVM, serial console.

See Also[edit]

Footnotes[edit]

  1. For Qubes, see: https://www.qubes-os.org/doc/mount-from-other-os/archive.org
  2. See also: Default Passwords.
  3. If an error like the following appears.
    Failed to open a session for the virtual machine Kicksecure-Xfce_15.0.0.4.9.
    
    NamedPipe#0 failed to connect to local socket /home/user/vbox-socket-file (VERR_FILE_NOT_FOUND).
    
    Result Code: NS_ERROR_FAILURE (0x80004005)
    Component: ConsoleWrap
    Interface: IConsole {872da645-4a9b-1727-bee2-5585105b9eed}
    

    Then you must uncheck Connect to existing pipe/socket.

  4. vboxmanage modifyvm Kicksecure-Xfce --uart1 0x3F8 4 --uartmode1=server /home/user/vbox-socket-file
  5. socat - UNIX-CONNECT:/home/user/vbox-socket-file

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!