Upgrading Whonix 13 to Whonix 14
 | TESTERS ONLY! |
 | To use Whonix 14, users can either upgrade existing Whonix 13 templates or download testers-only templates. The latter procedure is much simpler than upgrading. |
Contents
- 1 High Level Overview
- 2 Sanity Tests
- 3 Upgrading
- 3.1 Introduction
- 3.2 Update Package and Sources Lists
- 3.3 Enable Debugging and Update Select Packages
- 3.4 Upgrade
- 3.4.1 Distribution Upgrade and Package Purge
- 3.4.2 Restart Necessary Services
- 3.4.3 Install Whonix-Gateway and Whonix-Workstation
- 3.4.4 Miscellaneous Configuration Steps
- 3.4.5 Remove Unneeded Packages and Reinstall Firewall
- 3.4.6 VirtualBox Only
- 3.4.7 Konsole Log
- 3.4.8 Whonix APT-Repository
- 3.4.9 Qubes-Whonix Only
- 4 Download New Templates
- 5 Footnotes
High Level Overview[edit]
Upgrading Templates
1. Backup your data - ideally have a copy of the VM so it is possible to try again (if necessary).
2. Consider running the optional sanity tests.
3. Upgrade Whonix-Workstation (whonix-ws).
4. Power off Whonix-Workstation (whonix-ws).
5. Upgrade Whonix-Gatway (whonix-gw).
6. Restart Whonix-Gateway (whonix-gw).
7. Restart Whonix-Workstation (whonix-ws).
8. Qubes-Whonix: optionally route all updates via sys-whonix.
Downloading New Templates
1. Consider running the optional sanity tests.
2. Download the testers-only Whonix-Workstation (whonix-ws) and Whonix-Gateway (whonix-gw) images.
3. Update the Whonix templates.
4. Qubes-Whonix: optionally route all updates via sys-whonix.
Sanity Tests[edit]
These are optional, but recommended. To complete sanity tests, please press on expand on the right.
Expected output.
Expected output.
For testing purposes, install python-qt4.
Upgrading[edit]
Introduction[edit]
| Downloading a new Whonix-Gateway / Whonix-Workstation is easier than applying the following upgrade instructions, but this process should be relatively smooth. |
Both Non-Qubes-Whonix and Qubes-Whonix are supported.
First consider completing the sanity tests described above; the system is checked for obvious and grave issues that must be fixed before attempting an upgrade. For example, if the package manager is broken due to the mixing of packages from both Debian stable and Debian testing, then the upgrade may fail part way through, leaving the system in an unstable state that is difficult to resolve.
Consider retaining the full terminal (Konsole) log. Even if the upgrade appears successful, there might be issues following reboot. To properly report a bug in the Whonix forums it is necessary to share the upgrade log so the issue can be investigated.
| If you are using Qubes-Whonix: If Qubes R3.0 or R3.1 is used as the host operating system, it is strongly advised to upgrade the VMs and dom0 to R3.2 before proceeding. Only Qubes R3.2 and R4 are currently supported. [1] Follow the Qubes R3.1 > R3.2 upgrade instructions on the Qubes website. |
Update Package and Sources Lists[edit]
First, upgrade the system's packages from Debian.
| If you are using Qubes-Whonix: When upgrading the TemplateVM, /etc/tor/torrc in the Whonix-Gateway TemplateBased ProxyVM (commonly called sys-whonix) will not be modified, because bind-dirs makes it persistent. |
All Platforms
Update Whonix apt sources list.
Update Debian apt sources list.
Qubes-Whonix Only
Update Qubes apt sources list.
Enable Debugging and Update Select Packages[edit]
Become root.
Enable extensive debugging so the reporting of any eventual bugs is easier.
Update the package lists.
Upgrade torsocks and usability-misc first. [2] [3]
Ignore any errors relating to missing torsocks libraries.Upgrade[edit]
Distribution Upgrade and Package Purge[edit]
Run.
Ignore errors relating to exim* amd mailx - these packages will be removed in the next step.Purge packages which are not required or deprecated in Whonix and have been replaced by new functionality. [4] anon-shared-kde-accessibility and kaccessible can be excluded from the following command if accessibility tools are in use.
apt-get purge anon-shared-kde-accessibility kaccessible iceweasel firefox-esr exim* unattended-upgrades cups control-port-filter-python packagekit at wpasupplicant apparmor-profile-sdwdate apparmor-profile-whonixcheck kde-apper-no-autoupdate
Restart Necessary Services[edit]
Restart whonix-legacy service. [5]
Install Whonix-Gateway and Whonix-Workstation[edit]
Update the package lists again. [6]
Non-Qubes-Whonix users please click on expand on the right.
| Non-Qubes-Whonix only! Only complete this step in Whonix-Gateway! |
| Non-Qubes-Whonix only! Only complete this step in Whonix-Workstation! |
Qubes-Whonix users please click on expand on the right.
| Qubes-Whonix only! Only complete this step in Whonix-Gateway (whonix-gw)! |
| Qubes-Whonix only! Only complete this step in Whonix-Workstation (whonix-ws)! |
Miscellaneous Configuration Steps[edit]
| Qubes-Whonix Whonix-Workstation (whonix-ws) only! Qubes R4 only! |
Remove Unneeded Packages and Reinstall Firewall[edit]
Qubes-Whonix Only
Remove power-savings-disable-in-vms.
All Platforms
Delete /etc/X11/Xsession.d/50kde-apper-no-autoupdate.
Remove packages which are no longer required.
Reinstall whonix-firewall. [7]
Systemctl unmask whonix-firewall.
Systemctl enable whonix-firewall.
VirtualBox Only[edit]
The next step is required for VirtualBox users only! [8]
Konsole Log[edit]
Remember to store the terminal (Konsole) log: File -> Save Output As
Open a new terminal (Konsole) tab. [9]
Whonix APT-Repository[edit]
Run Whonix APT Repository Tool.
A poweroff is required.
All necessary steps are now complete for non-Qubes-Whonix users. Qubes-Whonix users should complete the additional steps below.
Qubes-Whonix Only[edit]
In dom0, run.
Only complete the next step if all TemplateVM upgrades should be routed through sys-whonix. [10]
The upgrade procedure is now complete.
Optional: To configure a new sys-whonix-14 ProxyVM for all TemplateVM updates in Qubes R4, follow the steps below.
Update Settings in Qubes R4[edit]
1. Create a new Proxy-VM using the whonix-gw-14 template. Label the new VM sys-whonix-14.
2. Edit the /etc/qubes-rpc/policy/qubes.UpdatesProxy file to set sys-whonix-14 as the target VM for the recently upgraded Whonix-Workstation and Whonix-Gateway. Copy and paste the text below.
whonix-ws $default allow,target=sys-whonix whonix-ws $anyvm deny whonix-gw $default allow,target=sys-whonix whonix-gw $anyvm deny whonix-ws-14 $default allow,target=sys-whonix-14 whonix-ws-14 $anyvm deny whonix-gw-14 $default allow,target=sys-whonix-14 whonix-gw-14 $anyvm deny ## Note that policy parsing stops at the first match, ## so adding anything below "$anyvm $anyvm action" line will have no effect ## Please use a single # to start your custom comments # Default rule for all TemplateVMs - direct the connection to sys-net $type:TemplateVM $default allow,target=sys-net $anyvm $anyvm deny
Save and exit.
3. After upgrading to Qubes-Whonix 14 in Qubes R4, the network setting for any Whonix TemplateVM should be set to none because a qrexec-based updates proxy is in use. [11]
Download New Templates[edit]
Users can simply download the latest Whonix 14, testers-only images and install Whonix as per normal procedures:
Footnotes[edit]
- ↑ https://www.qubes-os.org/downloads/
- ↑ This avoids some torsocks warnings due to the torsocks upgrade.
- ↑ Provides apt-get-noninteractive.
- ↑ sysfsutils - https://github.com/Whonix/Whonix/commit/d7cb15aa96bd571368b54f8a980922d9e1982250
- ↑ A manual restart is required because apt-get-noninteractive is being used. This step is not crucial since it would also run after reboot.
- ↑ This is required because the Whonix repository URI has been upgraded to a new location by the whonix-legacy package.
- ↑ This is because of the whonix-gw-firewall / whonix-ws-firewall to whonix-firewall package migration.
- ↑ This is not always required and depends on the host VirtualBox version; no harm is caused if it is not needed.
- ↑
Or type
exitto sign out as root to get back to useruser. - ↑ https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/updates-via-whonix.sls
- ↑ Qubes-Whonix 13 supports this feature as well after running apt-get dist-upgrade.
Interested in becoming an author for the Whonix blog or writing about anonymity, privacy and security? Please get in touch!
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)