Jump to: navigation, search

Upgrading Whonix 10 to Whonix 11

Before you start[edit]

If you want to upgrade Whonix-Gateway as well as Whonix-Workstation[edit]

1. Backup your data. (Ideally have a copy of your VM, so you can try again.)
2. Consider running the optional #Sanity Tests.
3. Upgrade Whonix-Workstation.
4. Power off Whonix-Workstation.
5. Upgrade Whonix-Gatway.
6. Restart Whonix-Gateway.
7. Restart Whonix-Workstation

If you only want to upgrade Whonix-Workstation[edit]

1. Backup your data. (Ideally have a copy of your VM, so you can try again.)
2. Consider running the optional #Sanity Tests.
3. Upgrade Whonix-Workstation.
4. Power off Whonix-Workstation.
5. Get Whonix-Gateway.
6. Start Whonix-Gateway.
7. Start Whonix-Workstation

You can ignore the following errors.

Non-Critical Errors / Warnings[edit]

[Jun 09 15:39:42] WARNING torsocks[18737]

Other warnings / errors should be reported.

Sanity Tests[edit]

sudo dpkg --audit ; echo $?

Expected output.

0
sudo dpkg --configure -a ; echo $?

Expected output:

0

Get package upgrades.

sudo apt-get update
sudo apt-get dist-upgrade

Test wise install python-qt4.

sudo apt-get install python-qt4 ; echo $?
## ... successful installation of python-qt4 ...
0

Known Issues[edit]

General[edit]

Upgrade of the whonix-gw-desktop-shortcuts, whonix-ww-desktop-shortcuts could take a while. [1] The output "sudo: unable to resolve host host" is expected. No big issue. Just annoying time sunk. Will be fixed after upgrade.

Qubes specific[edit]

Qubes specific.

apt-get not linked warning[edit]

*** OMINOUS WARNING ***: /usr/bin/apt-get is not linked to either apt-get.anondist or apt-get.anondist-orig

Can be ignored. (Something we ought to fix for Whonix 12.)

warning: setlocale: LC_ALL:[edit]

Qubes specific.

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

TODO

Configuring iptables-persistent dialog[edit]

Qubes specific. (ticket)

Package configuration                                                                                                 
 ┌───────────────────────────────────────┤ Configuring iptables-persistent ├───────────────────────────────────────┐  
 │                                                                                                                 │  
 │ Current iptables rules can be saved to the configuration file /etc/iptables/rules.v4. These rules will then be  │  
 │ loaded automatically during system startup.                                                                     │  
 │                                                                                                                 │  
 │ Rules are only saved automatically during package installation. See the manual page of iptables-save(8) for     │  
 │ instructions on keeping the rules file up-to-date.                                                              │  
 │                                                                                                                 │  
 │ Save current IPv4 rules?                                                                                        │  
 │                                                                                                                 │  
 │                                 <Yes>                                    <No>                                   │  
 │                                                                                                                 │  
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘  

Say no. (Just keep the default=N. Just press enter.)

Configuring base-passwd[edit]

Qubes specific.

Package configuration                                                                                                 
 ┌───────────────────────────────────────────┤ Configuring base-passwd ├───────────────────────────────────────────┐  
 │                                                                                                                 │  
 │ update-passwd has found a difference between your system accounts and the current Debian defaults.  It is       │  
 │ advisable to allow update-passwd to change your system; without those changes some packages might not work      │  
 │ correctly.  For more documentation on the Debian account policies, please see                                   │  
 │ /usr/share/doc/base-passwd/README.                                                                              │  
 │                                                                                                                 │  
 │ The proposed change is:                                                                                         │  
 │                                                                                                                 │  
 │ Remove group "qubes" (98)                                                                                       │  
 │                                                                                                                 │  
 │ If you allow this change, a backup of modified files will be made with the extension .org, which you can use    │  
 │ if necessary to restore the current settings.  If you do not make this change now, you can make it later with   │  
 │ the update-passwd utility.                                                                                      │  
 │                                                                                                                 │  
 │ Do you want to remove the group qubes?                                                                          │  
 │                                                                                                                 │  
 │                                 <Yes>                                    <No>                                   │  
 │                                                                                                                 │  
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Say no. [2]

dependency problems, but removing anyway as you requested[edit]

Qubes specific.

dpkg: gcc-4.7-base:amd64: dependency problems, but removing anyway as you requested:
 libstdc++6:amd64 depends on gcc-4.7-base (= 4.7.2-5).
 libgfortran3:amd64 depends on gcc-4.7-base (= 4.7.2-5).
 libgcc1:amd64 depends on gcc-4.7-base (= 4.7.2-5).
 gcc-4.7 depends on gcc-4.7-base (= 4.7.2-5).
 libquadmath0:amd64 depends on gcc-4.7-base (= 4.7.2-5).
 g++-4.7 depends on gcc-4.7-base (= 4.7.2-5).
 cpp-4.7 depends on gcc-4.7-base (= 4.7.2-5).
 libstdc++6-4.7-dev depends on gcc-4.7-base (= 4.7.2-5).

Can be ignored.

interactive dpkg conflict resolution dialog /etc/network/interfaces.whonix[edit]

Qubes specific.

Configuration file '/etc/network/interfaces.whonix'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** interfaces.whonix (Y/I/N/O/D/Z) [default=N] ? 

Say no. (Just keep the default=N. Just press enter.)

interactive dpkg conflict resolution dialog /etc/xdg/autostart/nm-applet.desktop[edit]

Qubes specific.

Configuration file '/etc/xdg/autostart/nm-applet.desktop'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** nm-applet.desktop (Y/I/N/O/D/Z) [default=N] ? 

Say yes. Press Y followed by enter. Would not be a big problem if you said no also. [3]

interactive dpkg conflict resolution dialog /etc/pulse/client.conf[edit]

Qubes specific.

Configuration file '/etc/pulse/client.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** client.conf (Y/I/N/O/D/Z) [default=N] ?

Say yes. Press Y followed by enter. Would not be a big problem if you said no also.

purge unneeded packages[edit]

When running.

sudo apt-get purge db5.1-util grub-common grub-pc grub-pc-bin grub2-common

You'll get the following dialog.

Package configuration
                                                 ┌────────────────────────────┤ Configuring grub-pc ├─────────────────────────────┐
                                                 │                                                                                │
                                                 │ Do you want to have all GRUB 2 files removed from /boot/grub?                  │
                                                 │                                                                                │
                                                 │ This will make the system unbootable unless another boot loader is installed.  │
                                                 │                                                                                │
                                                 │ Remove GRUB 2 from /boot/grub?                                                 │
                                                 │                                                                                │
                                                 │                      <Yes>                         <No>                        │
                                                 │                                                                                │
                                                 └────────────────────────────────────────────────────────────────────────────────┘

In Qubes (!!!), it's safe to say yes.

connect: Connection refused[edit]

Can be ignored.

connect: Connection refused

whonix-ws whonixcheck TemplateVM error[edit]

whonixcheck automatically starts in whonix-ws TemplateVM and shows an error. Ignore it.

Other Qubes specific Issues[edit]

See ticket:
https://phabricator.whonix.org/T380

Other Unlisted[edit]

Please post any issues in Whonix support forums.

Qubes Pre Fixup[edit]

Only required for Qubes users. Other users must skip this.

Delete firewall.png. [4]

sudo rm /usr/share/icons/anon-icon-pack/firewall.png

Stop qubes-qrexec-agent. [5] Testing.

sudo systemctl stop qubes-qrexec-agent

Ignore the expand button on the right side.

Upgrade qubes-core-agent to at least 3.0.15-1+deb8u1 and qubes-gui-agent to at least 3.0.9+deb8u1. Otherwise you'll run into grave issues. [6] This is currently only possible from Qubes' wheezy-testing repository. To do that, open /etc/apt/sources.list.d/qubes-r3.list with root rights. For example.

kdesudo kwrite /etc/apt/sources.list.d/qubes-r3.list

Comment in the following line by removing the # in front of it.

deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm wheezy-testing main

Close and save.

sudo apt-get update
sudo apt-get dist-upgrade

You'll see something like the following. Then it will hang.

Setting up qubes-core-agent (3.0.15-1+deb7u1) ...

Configuration file `/etc/apt/sources.list.d/qubes-r3.list'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** qubes-r3.list (Y/I/N/O/D/Z) [default=N] ? 
Installing new version of config file /etc/xen/scripts/vif-route-qubes ...
Leaving 'diversion of /etc/init/plymouth-shutdown.conf to /etc/init/plymouth-shutdown.conf.qubes-disabled by qubes-core-agent'
Leaving 'diversion of /etc/init/prefdm.conf to /etc/init/prefdm.conf.qubes-disabled by qubes-core-agent'
Leaving 'diversion of /etc/init/splash-manager.conf to /etc/init/splash-manager.conf.qubes-disabled by qubes-core-agent'
Leaving 'diversion of /etc/init/start-ttys.conf to /etc/init/start-ttys.conf.qubes-disabled by qubes-core-agent'
Leaving 'diversion of /etc/init/tty.conf to /etc/init/tty.conf.qubes-disabled by qubes-core-agent'
Leaving 'diversion of /etc/init/serial.conf to /etc/init/serial.conf.qubes-orig by qubes-core-agent'

This is an expected, known qrexec bug[7] that was fixed in the version you are installing. Wait a two minutes. Then open a second konsole (or konsole tab) and run.

sudo killall qubes-trigger-sync-appmenus.sh

To make sure all upgrades were applied besides the one hanging command, run again.

sudo apt-get dist-upgrade

Turn off the VM and start it again so the new qrexec will be used.

sudo poweroff

Then proceed.

Upgrading[edit]

Downloading a new Whonix-Gateway / Whonix-Workstation will be probably easier than applying the following instructions for upgrading.

Backups are important as noted in above chapter #Before you start. Especially for Qubes users. [8]

Consider doing the #Sanity Tests described above. They'll check if your system is affected by obvious grave issues, that you must fix before attempting to upgrade. If your package manager is broken, for example because you mixed packages from Debian stable with packages from Debian testing, then the upgrade may fail in the middle leaving your system in a difficult to resolve situation.

Consider keeping the full terminal (Konsole) log. Even if everything apparently worked, there might be issues after reboot. In case of a bug report in the forums you would be asked to share the upgrading log so the issue can be investigated.

Make sure you read #Known Issues above.

Become root.

sudo su

Do a usual upgrade of your system's packages from Debian.

For Qubes users, before you proceed, it is strongly recommended that you apply the above #Qubes Pre Fixup.

Enable Whonix's jessie repository. Don't use the testers repository just yet. [Wait for new information.]

whonix_repository --enable --codename jessie

Now we have to edit a few apt sources. The following three sed commands will do that for you. (But if you cannot or are not comfortable with using copy and paste, and you know what you are doing, you could also manually open an editor and make the described changes.)

Switch Debian sources from wheezy to jessie in /etc/apt/sources.list.d/debian.list.

sed -i "s/wheezy/jessie/g" /etc/apt/sources.list.d/debian.list

Switch Torproject sources from wheezy to jessie in /etc/apt/sources.list.d/debian.list.

sed -i "s/wheezy/jessie/g" /etc/apt/sources.list.d/torproject.list

As a Qubes user, note that upgrades are currently only possible using Qubes' testing repository. Otherwise you run into grave issues. [6] Switch Qubes' sources from wheezy to jessie-testing in /etc/apt/sources.list.d/qubes-r3.list. (Non-Qubes users should skip Qubes specific steps.) [9] One the related bug has been fixed, consider removing the "-testing" from /etc/apt/sources.list.d/qubes-r3.list.

sed -i "s/wheezy/jessie-testing/g" /etc/apt/sources.list.d/qubes-r3.list

As a Qubes user, remove the wheezy-backports repository from /etc/apt/sources.list.d/debian.list. [10]

sed -i "s#deb http://ftp.us.debian.org/debian/ wheezy-backports main##g" /etc/apt/sources.list

Make the upgrade process less interactive. Optional. (Mostly Qubes specific unless you installed apt-listchanges.)

export APT_LISTCHANGES_FRONTEND=text

Enable extensive debugging so reporting eventual bugs becomes easier.

export DEBDEBUG=1

Set environment variable TORSOCKS_LOG_LEVEL=1 to reduce unnecessary torsocks warnings. [11]

export TORSOCKS_LOG_LEVEL=1

Update your package lists.

apt-get update

Let's first upgrade torsocks and uwt, so we see fewer torsocks warning later on. [12]

apt-get install torsocks uwt

Qubes specific fix.

localedef -f UTF-8 -i en_US -c en_US.UTF-8

Qubes specific fix.

update-locale LC_ALL=en_US.UTF-8

Upgrade.

apt-get dist-upgrade || apt-get -f install || apt-get dist-upgrade

Make sure the packages ntp, ntpdate and chrony are not installed. Trying to remove them is enough. Specifically important for Qubes users.[13]

apt-get purge ntp ntpdate chrony

If you are not a user of KVM, you can optionally remove the spice-vdagent package. KVM users are probably better of keeping it.

apt-get purge spice-vdagent

Qubes only. Whonix-Gateway only. Move old qubes-whonix-control-port-filter-python.service out of the way.

sudo mv /etc/systemd/system/qubes-whonix-control-port-filter-python.service ~/

Qubes only. Whonix-Gateway only. Move old /etc/init.d/control-port-filter-python out of the way.

sudo mv /etc/init.d/control-port-filter-python ~/

Qubes only. Whonix-Gateway only. Enable control-port-filter-python.

sudo systemctl enable control-port-filter-python

Qubes only. Whonix-Workstation only. Move old /etc/tmpfiles.d/tor.conf out of the way. [14]

sudo mv /etc/tmpfiles.d/tor.conf ~/

It is recommended to have the whonix-gateway / whonix-workstation package installed to make sure nothing is broken. (If you like to uninstall it later as per Whonix Debian Packages, you're free to do so. Still, it is recommended to re-install it before removal to make sure you're as close to official package selection as possible.)

If you are upgrading Whonix-Gateway...

apt-get install whonix-gateway

If you are upgrading Whonix-Workstation...

apt-get install whonix-workstation

Get rid of old packages.

apt-get autoremove

Optional: Users of VirtualBox, KVM and Physical Isolation can optionally consider installation of the grub-screen-resolution package, which would set resolution to 1024x768 during boot. [15] (Recommended.)

apt-get install grub-screen-resolution

Optional: Users of VirtualBox, KVM and Physical Isolation can optionally consider installation of the grub-output-verbose package, which would show more verbose output during boot. For better usability, so it doesn't look like boot hangs on slow systems and to ease debugging in case of issues. [16] (Recommended.)

apt-get install grub-output-verbose

Qubes only! Get rid of Whonix's autostart of Whonix Setup Wizard.

sudo mv /etc/xdg/autostart/whonix-setup-wizard.desktop ~/

Restore original /etc/default/grub. [17]

sudo cp /etc/default/grub.anondist-orig /etc/default/grub

Update grub. (Qubes users can skip this.)

update-grub

Consider applying the #Grub Fix now or after reboot.

Remember to store the terminal (Konsole) log. (File -> Save Output As)

Reboot required.

reboot

Grub Fix[edit]

Applying this fix is recommended after upgrading from Whonix 10 to Whonix 11.

Useful if you saw the the error shown on the following screenshot after boot.

Grub error file not found issue.png

Fortunately, this fix isn't critical. The system is still bootable. To have it bootable also in future it's a good idea to fix this.

Recommended for users of VirtualBox and KVM. Not required for users of Qubes, because it is not yet using grub. [18] Maybe not required for users of Physical Isolation.

  • VirtualBox users: sudo grub-install /dev/sda ; echo $?
  • KVM users: sudo grub-install /dev/vda ; echo $?
  • Qubes users: Not required.
  • Physical Isolation users: Probably not required.

Expected output.

Installing for i386-pc platform.
Installation finished. No error reported.
0

Qubes Cleanup[edit]

Qubes-Whonix-Gateway purge unneeded packages[edit]

You can optionally purge the following unneeded packages from Qubes-Whonix-Gateway.

sudo apt-get purge cups mutt icedove amd64-microcode intel-microcode avahi-daemon

Footnotes[edit]

  1. During
    sudo -u user ln -s /usr/share/applications/kde4/konsole.desktop /home/user/Desktop/
    
  2. Qubes bug in place upgrade issue - base-passwd debconf interative question asks 'Remove group "qubes"'? will be fixed after the upgrade.
  3. https://github.com/QubesOS/qubes-issues/issues/1095#issuecomment-129236062
  4. This might trigger a qrexec bug.
  5. Because there are known issues with qrexec during distribution upgrades.
  6. 6.0 6.1
  7. https://groups.google.com/d/msg/qubes-users/MoUqGfMpMu0/2tGlVYbiBwAJ
  8. Qubes has some more issues with distribution upgrades.
  9. Once the fixed packages migrate into stable we can drop the "-testing".
    sed -i "s/wheezy/jessie/g" /etc/apt/sources.list.d/qubes-r3.list
    
  10. The following line.
    deb http://ftp.us.debian.org/debian/ wheezy-backports main
    

    Needs to be removed from /etc/apt/sources.list because fortunately, Qubes no longer needs it.

  11. Disable torsocks warning spam such as.
    [May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165)
    https://phabricator.whonix.org/T317
  12. Due to transition from torsocks 1.x to torsocks 2.x.
  13. https://github.com/QubesOS/qubes-issues/issues/1102
  14. Otherwise systemd service systemd-tmpfiles-setup would enter a failed state.
  15. https://github.com/Whonix/grub-screen-resolution/blob/master/etc/default/grub.d/30_screen_resolution.cfg
  16. https://github.com/Whonix/grub-output-verbose/blob/master/etc/default/grub.d/30_output_verbose.cfg
  17. The grub-enable-apparmor package no longer modifies that file. Now implemented using /etc/default/grub.d. See also: https://phabricator.whonix.org/T25
  18. https://phabricator.whonix.org/T353#5523

Random News:

Don't mind having your name connected to Whonix? Follow us. Twitter / Facebook / g+


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.