Hi Andrew, After removing all Whonix related templates and VMs, I've folllowed the link you suggested (https://www.whonix.org/wiki/Qubes/Install) and run into errors (see below).
Any ideas why the "sudo qubesctl state.sls qvm.anon-whonix" fails and reports the whonix-gw and ws are missing? I thought it would install the templates anew, specially because there are instructions saying we should first remove whonix completely. Best [claudio@dom0 ~]$ sudo qubesctl state.sls qvm.anon-whonix [ERROR ] Command '['systemd-run', '--scope', 'qubes-dom0-update', '-y', '--best', '--allowerasing', '--disablerepo=*', '--enablerepo=qubes-templates-community', '--clean', '--action=install', 'qubes-template-whonix-ws-15']' failed with return code: 1 [ERROR ] stdout: Running scope as unit: run-r73c74b031ca0467aa7984ab0632f7f78.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [ERROR ] retcode: 1 [ERROR ] Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r73c74b031ca0467aa7984ab0632f7f78.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [WARNING ] /var/cache/salt/minion/extmods/states/ext_state_qvm.py:142: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6 status = Status(retcode=1, result=False, stderr=err.message + '\n') [ERROR ] ====== ['features'] ====== Virtual Machine does not exist! ====== ['tags'] ====== [SKIP] Skipping due to previous failure! [ERROR ] Command '['systemd-run', '--scope', 'qubes-dom0-update', '-y', '--best', '--allowerasing', '--disablerepo=*', '--enablerepo=qubes-templates-community', '--action=install', 'qubes-template-whonix-gw-15']' failed with return code: 1 [ERROR ] stdout: Running scope as unit: run-r40ec4f8030284021a2f80d44af49d36f.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [ERROR ] retcode: 1 [ERROR ] Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r40ec4f8030284021a2f80d44af49d36f.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [ERROR ] ====== ['features'] ====== Virtual Machine does not exist! ====== ['tags'] ====== [SKIP] Skipping due to previous failure! local: ---------- ID: template-whonix-ws-15 Function: pkg.installed Name: qubes-template-whonix-ws-15 Result: False Comment: Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r73c74b031ca0467aa7984ab0632f7f78.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... Started: 11:16:43.589367 Duration: 5101.908 ms Changes: ---------- ID: whonix-ws-tag Function: qvm.vm Name: whonix-ws-15 Result: False Comment: ====== ['features'] ====== Virtual Machine does not exist! ====== ['tags'] ====== [SKIP] Skipping due to previous failure! Started: 11:16:48.694020 Duration: 17.289 ms Changes: ---------- ID: whonix-ws-update-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy Result: True Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is in correct state Started: 11:16:48.713516 Duration: 3.164 ms Changes: ---------- ID: whonix-get-date-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.GetDate Result: True Comment: File /etc/qubes-rpc/policy/qubes.GetDate is in correct state Started: 11:16:48.716793 Duration: 1.201 ms Changes: ---------- ID: template-whonix-gw-15 Function: pkg.installed Name: qubes-template-whonix-gw-15 Result: False Comment: Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r40ec4f8030284021a2f80d44af49d36f.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... Started: 11:16:48.718085 Duration: 2780.185 ms Changes: ---------- ID: whonix-gw-tag Function: qvm.vm Name: whonix-gw-15 Result: False Comment: ====== ['features'] ====== Virtual Machine does not exist! ====== ['tags'] ====== [SKIP] Skipping due to previous failure! Started: 11:16:51.498524 Duration: 15.627 ms Changes: ---------- ID: whonix-gw-update-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy Result: True Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is in correct state Started: 11:16:51.514280 Duration: 1.83 ms Changes: ---------- ID: sys-net Function: qvm.exists Result: True Comment: /usr/bin/qvm-check sys-net VM sys-net exists None Started: 11:16:51.516200 Duration: 213.897 ms Changes: ---------- ID: sys-firewall Function: qvm.exists Result: True Comment: /usr/bin/qvm-check sys-firewall VM sys-firewall exists None Started: 11:16:51.730518 Duration: 216.399 ms Changes: ---------- ID: sys-whonix Function: qvm.vm Result: False Comment: One or more requisite failed: qvm.template-whonix-gw.template-whonix-gw-15 Changes: ---------- ID: whonix-ws-15-dvm Function: qvm.vm Result: False Comment: One or more requisite failed: qvm.sys-whonix.sys-whonix, qvm.template-whonix-ws.template-whonix-ws-15 Changes: ---------- ID: qvm-appmenus --update whonix-ws-15-dvm Function: cmd.run Result: False Comment: One or more requisite failed: qvm.whonix-ws-dvm.whonix-ws-15-dvm Changes: ---------- ID: anon-whonix Function: qvm.vm Result: False Comment: One or more requisite failed: qvm.sys-whonix.sys-whonix, qvm.template-whonix-ws.template-whonix-ws-15, qvm.whonix-ws-dvm.whonix-ws-15-dvm Changes: Summary for local ------------ Succeeded: 5 Failed: 8 ------------ Total states run: 13 Total run time: 8.351 s DOM0 configuration failed, not continuing [claudio@dom0 ~]$ On Thursday, 25 July 2019 07:14:34 UTC+3, Andrew David Wong wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Dear Qubes Community, > > We have just published Qubes Security Bulletin (QSB) #050: Reinstalling > a TemplateVM does not reset the private volume. The text of this QSB is > reproduced below. This QSB and its accompanying signatures will always > be available in the Qubes Security Pack (qubes-secpack). > > View QSB #050 in the qubes-secpack: > > https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2FQubesOS%2Fqubes-secpack%2Fblob%2Fmaster%2FQSBs%2Fqsb-050-2019.txt&sa=D&sntz=1&usg=AFQjCNEwrhbHDJ2SvVR1xCqwlWAGhZ57IA> > > > Learn about the qubes-secpack, including how to obtain, verify, and read > it: > > https://www.qubes-os.org/security/pack/ > > View all past QSBs: > > https://www.qubes-os.org/security/bulletins/ > > ``` > > > ---===[ Qubes Security Bulletin #50 ]===--- > > 2019-07-24 > > > Reinstalling a TemplateVM does not reset the private volume > > Description > =========== > > In Qubes OS, we have the ability to reinstall a TemplateVM by running > `qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1] > This is supposed to reset the corresponding TemplateVM to the state of > the published package, i.e., no local changes should remain. > > One uncommon reason to perform such a reinstallation is that you suspect > that a TemplateVM may be compromised. In such cases, it is very > important that no local changes persist in order to ensure that the > TemplateVM is no longer compromised. > > Due to a regression in R4.0 [2], however, reinstalling a TemplateVM > using qubes-dom0-update does not completely reset all local changes to > that TemplateVM. Although the tool itself and our documentation claim > that the private volume of the TemplateVM is reset during > reinstallation, the private volume does not actually get reset. This > could allow a TemplateVM to remain compromised across a reinstallation > of that TemplateVM using qubes-dom0-update. > > Workaround > ========== > > Fixed packages are forthcoming. In the meantime, we recommend avoiding > the qubes-dom0-update method of reinstalling a TemplateVM. Instead, we > recommend manually removing the TemplateVM, then installing it again. > Detailed instructions for this manual method are documented here: > > https://www.qubes-os.org/doc/reinstall-template/#manual-method > > (Note that we have updated this page with a warning against the > automatic method.) > > Patching > ========= > > We expect to have fixed packages available next week. In the meantime, > please follow the workaround described in the previous section. We will > update this QSB when fixed packages are available. > > Credits > ======== > > Thank you to Andrey Bienkowski <hexagonr...@gmail.com <javascript:>> for > discovering and reporting this issue. > > References > =========== > > [1] https://www.qubes-os.org/doc/reinstall-template/ > [2] > https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192 > > > - -- > The Qubes Security Team > https://www.qubes-os.org/security/ > > ``` > > This announcement is also available on the Qubes website: > https://www.qubes-os.org/news/2019/07/24/qsb-050/ > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl05LEEACgkQ203TvDlQ > MDCA2Q//SBZ/v5eDrOauzdvQcqpgDJHGZyT34b1POcu8u4iAFWXBrnBSYgefDN0d > uMoxcZOy+q+GCy9r176MWl17m1td3ev/WnSgCwcUnDvegC2jLacixqMuoVxXDW3A > 6Mvu/Ui73O7bh3fAemoRHP7ts4ZKCZ9LGWEcIzlzR+Sg6jYDLC2sg3xRhp+G1GLX > Jduisn0ZnsTOGAgPnt0MZarn2MXoQt6A+6IwbN5g48Y/2anjiwz45Etkl9y2XTQZ > kfWelmuraf+adKrbqEjYEapl6ARuPsuoR1rb3sSEqVApHZY1syfAioLNHbOfRrmW > oqNPK/GnkOo7wWXyymZPQDDXor6GojYrLbocUcI+KcObiFnGEeqzzRp+s9lm641t > cXHdk+309U1H+z7DRKWeeGW2UZ39hof14bxemWqQnIaLYn0flOX15ke8DANDh9dF > 7BRDyTuoFBqOy3W8Ab1iJoVi5ZhyNDOOmzXzkvqyP0lzAtX2AtJlXWUGMIAo+Pqp > z6JH3qXbpBZgJb71qIOU85Eb9FfYgseQa9y2msswiGCh/xpv+/il7WP577/w/FKr > GzV/h2Bw/QTcFj+nLMCnCVF0RZ8XwZ9wz6p/Qy4DxYseNyV0C4efv0zrErzX9a4x > /Ug8jcexTq96sawNTCLVIiIIdAtsIy3y7NCDQtjswiIxVCZKMcQ= > =5Wik > -----END PGP SIGNATURE----- > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/62ebcce1-ff50-43c9-9e8a-d81a4f2dbbd2%40googlegroups.com.