Actions

Upgrading Whonix 13 to Whonix 14

From Whonix

Info To use Whonix ™ 14, users can either:

  • A) upgrade existing Whonix ™ 13 templates OR,
  • B) re-install Whonix ™ by downloading the new release, which is much simpler than upgrading.

High Level Overview[edit]

Upgrading Templates[edit]

  1. Backup your data - ideally have a copy of the VM so it is possible to try again (if necessary).
  2. Consider running the optional sanity tests.
  3. Upgrade Whonix-Workstation ™ (whonix-ws).
  4. Power off Whonix-Workstation ™ (whonix-ws).
  5. Upgrade Whonix-Gateway ™ (whonix-gw).
  6. Restart Whonix-Gateway ™ (whonix-gw).
  7. Restart Whonix-Workstation ™ (whonix-ws).
  8. Qubes-Whonix ™: optionally route all updates via sys-whonix.

Downloading New Templates[edit]

  1. Consider running the optional sanity tests.
  2. Download the Whonix-Workstation ™ (whonix-ws) and Whonix-Gateway ™ (whonix-gw) images.
  3. Update the Whonix ™ templates.
  4. Qubes-Whonix ™: optionally route all updates via sys-whonix.

Sanity Tests[edit]

These are optional, but recommended. To complete sanity tests, please press on expand on the right.

sudo dpkg --audit ; echo $?

Expected output.

0

sudo dpkg --configure -a ; echo $?

Expected output.

0

Get package upgrades.

sudo apt-get update

sudo apt-get dist-upgrade

For testing purposes, install python-qt4.

sudo apt-get install python-qt4 ; echo $?

## ... successful installation of python-qt4 ...
0

Upgrading[edit]

Introduction[edit]

Info Downloading a new Whonix-Gateway ™ / Whonix-Workstation ™ is easier than applying the following upgrade instructions, but this process should be relatively smooth.

Both Non-Qubes-Whonix ™ and Qubes-Whonix ™ are supported.

First consider completing the sanity tests described above; the system is checked for obvious and grave issues that must be fixed before attempting an upgrade. For example, if the package manager is broken due to the mixing of packages from both Debian stable and Debian testing, then the upgrade may fail part way through, leaving the system in an unstable state that is difficult to resolve.

Consider retaining the full terminal (Konsole) log. Even if the upgrade appears successful, there might be issues following reboot. To properly report a bug in the Whonix ™ forums it is necessary to share the upgrade log so the issue can be investigated.

Update Package and Sources Lists[edit]

First, upgrade the system's packages from Debian.

Info If you are using Qubes-Whonix ™: When upgrading the TemplateVM, /usr/local/etc/torrc.d/50_user.conf in the Whonix-Gateway ™ TemplateBased ProxyVM (commonly called sys-whonix) will not be modified, because bind-dirs makes it persistent. [1]

All Platforms[edit]

Update Whonix ™ apt sources list.

sudo whonix_repository --enable --codename stretch

Update Debian apt sources list.

sudo sed -i "s/jessie/stretch/g" /etc/apt/sources.list.d/debian.list

Delete backports, testing, unstable repository, as well as default release APT config snippet. [2]

sudo rm -f /etc/apt/sources.list.d/backports.list /etc/apt/sources.list.d/testing.list /etc/apt/sources.list.d/unstable.list /etc/apt/apt.conf.d/70defaultrelease

Qubes-Whonix ™ Only[edit]

Update Qubes apt sources list.

sudo sed -i "s/jessie/stretch/g" /etc/apt/sources.list.d/qubes*.list

Preparation[edit]

Become root.

sudo su

Enable extensive debugging so the reporting of any eventual bugs is easier.

export DEBDEBUG=1

Update Select Packages.

Update the package lists.

apt-get update

Upgrade torsocks and usability-misc first. [3] [4]

apt-get install torsocks usability-misc
Ignore any errors relating to missing torsocks libraries.

Stop whonixcheck systemd unit. [5]

systemctl stop whonixcheck

Upgrade[edit]

Distribution Upgrade and Package Purge[edit]

Run.

apt-get-noninteractive dist-upgrade
Ignore errors relating to exim* amd mailx - these packages will be removed in the next step.

Purge packages which are not required or deprecated in Whonix ™ and have been replaced by new functionality. [6] anon-shared-kde-accessibility and kaccessible can be excluded from the following command if accessibility tools are in use.

apt-get purge anon-shared-kde-accessibility kaccessible iceweasel firefox-esr exim* unattended-upgrades cups control-port-filter-python packagekit at wpasupplicant apparmor-profile-sdwdate apparmor-profile-whonixcheck kde-apper-no-autoupdate emacs

Restart Necessary Services[edit]

Restart whonix-legacy service. [7]

service whonix-legacy restart

Install Whonix-Gateway ™ and Whonix-Workstation ™[edit]

Update the package lists again. [8]

apt-get update

Non-Qubes-Whonix ™ users please click on expand on the right.

Info Non-Qubes-Whonix only! Only complete this step in Whonix-Gateway ™!

apt-get install non-qubes-whonix-gateway

Info Non-Qubes-Whonix only! Only complete this step in Whonix-Workstation ™!

apt-get install non-qubes-whonix-workstation

Qubes-Whonix ™ users please click on expand on the right.

Info Qubes-Whonix ™ only! Only complete this step in Whonix-Gateway ™ (whonix-gw)!

apt-get install qubes-whonix-gateway

Info Qubes-Whonix ™ only! Only complete this step in Whonix-Workstation ™ (whonix-ws)!

apt-get install qubes-whonix-workstation

Miscellaneous Configuration Steps[edit]

Info Qubes-Whonix ™ Whonix-Workstation ™ (whonix-ws) only! Qubes R4 only!

apt-get install pulseaudio-qubes


Remove Unneeded Packages and Reinstall Firewall[edit]

Qubes-Whonix ™ Only[edit]

Remove power-savings-disable-in-vms.

sudo apt-get purge power-savings-disable-in-vms

All Platforms[edit]

Delete /etc/X11/Xsession.d/50kde-apper-no-autoupdate

sudo rm -f /etc/X11/Xsession.d/50kde-apper-no-autoupdate

Remove packages which are no longer required.

apt-get autoremove

Reinstall whonix-firewall. [9]

apt-get install --reinstall whonix-firewall

Systemctl unmask whonix-firewall.

systemctl unmask whonix-firewall

Systemctl enable whonix-firewall.

systemctl enable whonix-firewall

VirtualBox Only[edit]

The next step is required for VirtualBox users only! [10]

sudo apt-get install --reinstall virtualbox-guest-*

Konsole Log[edit]

Remember to store the terminal (Konsole) log: FileSave Output As

Open a new terminal (Konsole) tab. [11]

Whonix ™ APT-Repository[edit]

Run Whonix ™ APT Repository Tool.

kdesudo whonix-repository-wizard

A poweroff is required.

sudo poweroff

All necessary steps are now complete for Non-Qubes-Whonix ™ users. Qubes-Whonix ™ users should complete the additional steps below.

Qubes-Whonix ™ Only[edit]

To launch a dom0 terminal, click the Qubes App Launcher (blue/grey "Q") and then open the Terminal Emulator (Xfce Terminal).

Qubes-whonix1.png

Update Qubes dom0.

sudo qubes-dom0-update

Only complete the next step if all TemplateVM upgrades should be routed through sys-whonix. [12]

In dom0, run. [13]

sudo qubesctl state.sls qvm.anon-whonix

Optional. If you like to upgrade Qubes TemplateVMs via sys-whonix. In dom0, run.

sudo qubesctl state.sls qvm.updates-via-whonix

The upgrade procedure is now complete.

Optional: To configure a new sys-whonix-14 ProxyVM for all TemplateVM updates in Qubes R4, follow the steps below.

Update Settings in Qubes R4[edit]

1. Create a new Proxy-VM using the whonix-gw-14 template. Label the new VM sys-whonix-14.

2. Edit the /etc/qubes-rpc/policy/qubes.UpdatesProxy file to set sys-whonix-14 as the target VM for the recently upgraded Whonix-Workstation ™ and Whonix-Gateway ™. Copy and paste the text below.

whonix-ws $default allow,target=sys-whonix
whonix-ws $anyvm deny
whonix-gw $default allow,target=sys-whonix
whonix-gw $anyvm deny

whonix-ws-15 $default allow,target=sys-whonix-14
whonix-ws-15 $anyvm deny
whonix-gw-15 $default allow,target=sys-whonix-14
whonix-gw-15 $anyvm deny

## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

$anyvm $anyvm deny

Save and exit.

3. After upgrading to Qubes-Whonix ™ 14 in Qubes R4, the network setting for any Whonix ™ TemplateVM should be set to none because a qrexec-based updates proxy is in use. [14]


Footnotes[edit]

  1. Some users have reported that a manual file check for `DisableNetwork 0` is required at this step, otherwise networking is absent.
  2. Only required if you previously enabled but the command is safe to run even if you did not use it earlier.
  3. This avoids some torsocks warnings due to the torsocks upgrade.
  4. Provides apt-get-noninteractive.
  5. https://forums.whonix.org/t/upgrade-from-13-to-14-breaking-whonix-every-time
  6. sysfsutils - https://github.com/Whonix/Whonix/commit/d7cb15aa96bd571368b54f8a980922d9e1982250
  7. A manual restart is required because apt-get-noninteractive is being used. This step is not crucial since it would also run after reboot.
  8. This is required because the Whonix ™ repository URI has been upgraded to a new location by the whonix-legacy package.
  9. This is because of the whonix-gw-firewall / whonix-ws-firewall to whonix-firewall package migration.
  10. This is not always required and depends on the host VirtualBox version; no harm is caused if it is not needed.
  11. Or type exit to sign out as root to get back to user user.
  12. https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/updates-via-whonix.sls
  13. This applies all salt settings.
  14. Qubes-Whonix ™ 13 supports this feature as well after running apt-get dist-upgrade.

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.