Hi Andrew,
After removing all Whonix related templates and VMs, I've folllowed the
link you suggested (https://www.whonix.org/wiki/Qubes/Install) and run into
errors (see below).
Any ideas why the "sudo qubesctl state.sls qvm.anon-whonix" fails and
reports the whonix-gw and ws are missing? I thought it would install the
templates anew, specially because there are instructions saying we should
first remove whonix completely.
Best
[claudio@dom0 ~]$ sudo qubesctl state.sls qvm.anon-whonix
[ERROR ] Command '['systemd-run', '--scope', 'qubes-dom0-update', '-y',
'--best', '--allowerasing', '--disablerepo=*',
'--enablerepo=qubes-templates-community', '--clean', '--action=install',
'qubes-template-whonix-ws-15']' failed with return code: 1
[ERROR ] stdout: Running scope as unit:
run-r73c74b031ca0467aa7984ab0632f7f78.scope
Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this
may take some time...
[ERROR ] retcode: 1
[ERROR ] Error occurred installing package(s). Additional info follows:
errors:
- Running scope as unit: run-r73c74b031ca0467aa7984ab0632f7f78.scope
Using mirage-firewall-wifi as UpdateVM to download updates for Dom0;
this may take some time...
[WARNING ] /var/cache/salt/minion/extmods/states/ext_state_qvm.py:142:
DeprecationWarning: BaseException.message has been deprecated as of Python
2.6
status = Status(retcode=1, result=False, stderr=err.message + '\n')
[ERROR ] ====== ['features'] ======
Virtual Machine does not exist!
====== ['tags'] ======
[SKIP] Skipping due to previous failure!
[ERROR ] Command '['systemd-run', '--scope', 'qubes-dom0-update', '-y',
'--best', '--allowerasing', '--disablerepo=*',
'--enablerepo=qubes-templates-community', '--action=install',
'qubes-template-whonix-gw-15']' failed with return code: 1
[ERROR ] stdout: Running scope as unit:
run-r40ec4f8030284021a2f80d44af49d36f.scope
Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this
may take some time...
[ERROR ] retcode: 1
[ERROR ] Error occurred installing package(s). Additional info follows:
errors:
- Running scope as unit: run-r40ec4f8030284021a2f80d44af49d36f.scope
Using mirage-firewall-wifi as UpdateVM to download updates for Dom0;
this may take some time...
[ERROR ] ====== ['features'] ======
Virtual Machine does not exist!
====== ['tags'] ======
[SKIP] Skipping due to previous failure!
local:
----------
ID: template-whonix-ws-15
Function: pkg.installed
Name: qubes-template-whonix-ws-15
Result: False
Comment: Error occurred installing package(s). Additional info follows:
errors:
- Running scope as unit:
run-r73c74b031ca0467aa7984ab0632f7f78.scope
Using mirage-firewall-wifi as UpdateVM to download
updates for Dom0; this may take some time...
Started: 11:16:43.589367
Duration: 5101.908 ms
Changes:
----------
ID: whonix-ws-tag
Function: qvm.vm
Name: whonix-ws-15
Result: False
Comment: ====== ['features'] ======
Virtual Machine does not exist!
====== ['tags'] ======
[SKIP] Skipping due to previous failure!
Started: 11:16:48.694020
Duration: 17.289 ms
Changes:
----------
ID: whonix-ws-update-policy
Function: file.prepend
Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy
Result: True
Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is in correct
state
Started: 11:16:48.713516
Duration: 3.164 ms
Changes:
----------
ID: whonix-get-date-policy
Function: file.prepend
Name: /etc/qubes-rpc/policy/qubes.GetDate
Result: True
Comment: File /etc/qubes-rpc/policy/qubes.GetDate is in correct state
Started: 11:16:48.716793
Duration: 1.201 ms
Changes:
----------
ID: template-whonix-gw-15
Function: pkg.installed
Name: qubes-template-whonix-gw-15
Result: False
Comment: Error occurred installing package(s). Additional info follows:
errors:
- Running scope as unit:
run-r40ec4f8030284021a2f80d44af49d36f.scope
Using mirage-firewall-wifi as UpdateVM to download
updates for Dom0; this may take some time...
Started: 11:16:48.718085
Duration: 2780.185 ms
Changes:
----------
ID: whonix-gw-tag
Function: qvm.vm
Name: whonix-gw-15
Result: False
Comment: ====== ['features'] ======
Virtual Machine does not exist!
====== ['tags'] ======
[SKIP] Skipping due to previous failure!
Started: 11:16:51.498524
Duration: 15.627 ms
Changes:
----------
ID: whonix-gw-update-policy
Function: file.prepend
Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy
Result: True
Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is in correct
state
Started: 11:16:51.514280
Duration: 1.83 ms
Changes:
----------
ID: sys-net
Function: qvm.exists
Result: True
Comment: /usr/bin/qvm-check sys-net
VM sys-net exists None
Started: 11:16:51.516200
Duration: 213.897 ms
Changes:
----------
ID: sys-firewall
Function: qvm.exists
Result: True
Comment: /usr/bin/qvm-check sys-firewall
VM sys-firewall exists None
Started: 11:16:51.730518
Duration: 216.399 ms
Changes:
----------
ID: sys-whonix
Function: qvm.vm
Result: False
Comment: One or more requisite failed:
qvm.template-whonix-gw.template-whonix-gw-15
Changes:
----------
ID: whonix-ws-15-dvm
Function: qvm.vm
Result: False
Comment: One or more requisite failed: qvm.sys-whonix.sys-whonix,
qvm.template-whonix-ws.template-whonix-ws-15
Changes:
----------
ID: qvm-appmenus --update whonix-ws-15-dvm
Function: cmd.run
Result: False
Comment: One or more requisite failed:
qvm.whonix-ws-dvm.whonix-ws-15-dvm
Changes:
----------
ID: anon-whonix
Function: qvm.vm
Result: False
Comment: One or more requisite failed: qvm.sys-whonix.sys-whonix,
qvm.template-whonix-ws.template-whonix-ws-15,
qvm.whonix-ws-dvm.whonix-ws-15-dvm
Changes:
Summary for local
------------
Succeeded: 5
Failed: 8
------------
Total states run: 13
Total run time: 8.351 s
DOM0 configuration failed, not continuing
[claudio@dom0 ~]$
On Thursday, 25 July 2019 07:14:34 UTC+3, Andrew David Wong wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Dear Qubes Community,
>
> We have just published Qubes Security Bulletin (QSB) #050: Reinstalling
> a TemplateVM does not reset the private volume. The text of this QSB is
> reproduced below. This QSB and its accompanying signatures will always
> be available in the Qubes Security Pack (qubes-secpack).
>
> View QSB #050 in the qubes-secpack:
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt
> <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2FQubesOS%2Fqubes-secpack%2Fblob%2Fmaster%2FQSBs%2Fqsb-050-2019.txt&sa=D&sntz=1&usg=AFQjCNEwrhbHDJ2SvVR1xCqwlWAGhZ57IA>
>
>
> Learn about the qubes-secpack, including how to obtain, verify, and read
> it:
>
> https://www.qubes-os.org/security/pack/
>
> View all past QSBs:
>
> https://www.qubes-os.org/security/bulletins/
>
> ```
>
>
> ---===[ Qubes Security Bulletin #50 ]===---
>
> 2019-07-24
>
>
> Reinstalling a TemplateVM does not reset the private volume
>
> Description
> ===========
>
> In Qubes OS, we have the ability to reinstall a TemplateVM by running
> `qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1]
> This is supposed to reset the corresponding TemplateVM to the state of
> the published package, i.e., no local changes should remain.
>
> One uncommon reason to perform such a reinstallation is that you suspect
> that a TemplateVM may be compromised. In such cases, it is very
> important that no local changes persist in order to ensure that the
> TemplateVM is no longer compromised.
>
> Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
> using qubes-dom0-update does not completely reset all local changes to
> that TemplateVM. Although the tool itself and our documentation claim
> that the private volume of the TemplateVM is reset during
> reinstallation, the private volume does not actually get reset. This
> could allow a TemplateVM to remain compromised across a reinstallation
> of that TemplateVM using qubes-dom0-update.
>
> Workaround
> ==========
>
> Fixed packages are forthcoming. In the meantime, we recommend avoiding
> the qubes-dom0-update method of reinstalling a TemplateVM. Instead, we
> recommend manually removing the TemplateVM, then installing it again.
> Detailed instructions for this manual method are documented here:
>
> https://www.qubes-os.org/doc/reinstall-template/#manual-method
>
> (Note that we have updated this page with a warning against the
> automatic method.)
>
> Patching
> =========
>
> We expect to have fixed packages available next week. In the meantime,
> please follow the workaround described in the previous section. We will
> update this QSB when fixed packages are available.
>
> Credits
> ========
>
> Thank you to Andrey Bienkowski <hexagonr...@gmail.com <javascript:>> for
> discovering and reporting this issue.
>
> References
> ===========
>
> [1] https://www.qubes-os.org/doc/reinstall-template/
> [2]
> https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192
>
>
> - --
> The Qubes Security Team
> https://www.qubes-os.org/security/
>
> ```
>
> This announcement is also available on the Qubes website:
> https://www.qubes-os.org/news/2019/07/24/qsb-050/
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl05LEEACgkQ203TvDlQ
> MDCA2Q//SBZ/v5eDrOauzdvQcqpgDJHGZyT34b1POcu8u4iAFWXBrnBSYgefDN0d
> uMoxcZOy+q+GCy9r176MWl17m1td3ev/WnSgCwcUnDvegC2jLacixqMuoVxXDW3A
> 6Mvu/Ui73O7bh3fAemoRHP7ts4ZKCZ9LGWEcIzlzR+Sg6jYDLC2sg3xRhp+G1GLX
> Jduisn0ZnsTOGAgPnt0MZarn2MXoQt6A+6IwbN5g48Y/2anjiwz45Etkl9y2XTQZ
> kfWelmuraf+adKrbqEjYEapl6ARuPsuoR1rb3sSEqVApHZY1syfAioLNHbOfRrmW
> oqNPK/GnkOo7wWXyymZPQDDXor6GojYrLbocUcI+KcObiFnGEeqzzRp+s9lm641t
> cXHdk+309U1H+z7DRKWeeGW2UZ39hof14bxemWqQnIaLYn0flOX15ke8DANDh9dF
> 7BRDyTuoFBqOy3W8Ab1iJoVi5ZhyNDOOmzXzkvqyP0lzAtX2AtJlXWUGMIAo+Pqp
> z6JH3qXbpBZgJb71qIOU85Eb9FfYgseQa9y2msswiGCh/xpv+/il7WP577/w/FKr
> GzV/h2Bw/QTcFj+nLMCnCVF0RZ8XwZ9wz6p/Qy4DxYseNyV0C4efv0zrErzX9a4x
> /Ug8jcexTq96sawNTCLVIiIIdAtsIy3y7NCDQtjswiIxVCZKMcQ=
> =5Wik
> -----END PGP SIGNATURE-----
>
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/62ebcce1-ff50-43c9-9e8a-d81a4f2dbbd2%40googlegroups.com.
