Re: [qubes-users] Re: QSB #050: Reinstalling a TemplateVM does not reset the private volume
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey, Thanks a lot, this has ended a 3 weeks fight to reinstall whonix. I've changed default firewall to UpdateVM and it worked. Best Regards On 26/07/2019 15:12, 'awokd' via qubes-users wrote: > Claudio Chinicz: > >> Using mirage-firewall-wifi as UpdateVM to download > updates for Dom0; this >> may take some time... > > Don't think Mirage supports running as UpdateVM. Try a Debian or Fedora > based AppVM instead. > -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwqrWIZ87/1+fYNr8Qc96sKyouBUFAl07CcUACgkQQc96sKyo uBXLig//VFSf5+TWjLe4xPKSiTabReLOujaPR6Ids71z9655WBmOcD70H1grLCVX J/bxXuaLXmaJcDaLBtikExtarHh5UY5gf/hdUrSIp3nvV2gZI6bNHbvI1GXLJ4ez Y7A9f+afQa+gVlxydCw6jwX5oc7OZYSL6RbPoiz0tclMYnggidaeIuSxqAhp7AOn jpqR0fLCil3w6M2ALL/NfrnOHTryKTb1eFTNEaT8HH1tIz7jXgpxFSCUAqBfqUcx PnkppqvKaB6xqZLUIcstD3y7QgipPr+uZKL+MuLGJf31T1xVwH6VXAzxSkhjp72j +Y9PZSBz/Kg3p5yuMfmjRarNLvROZzqbdvpvoOhu5dtooultaxDL0is9cdyc96WS rN8Nar4x5JqXDdHuFc7q48m5N38bLV8EXHw6uqrUU7q5DlhGAOMcNn9ajiB0h2MR Ov9xjNU7exuk5jQSGdNQkeO7sgAMa9dnLS9VirLZHC6Xtvw2PZGmDYyvk25WNQWp 3aYr6vRV+uiLtnmGY8Ta/yLJ6OdRmZp6NOYOl72wXtQBtcWNceykSLaqh0mHwPbD GBq2MCRTi+IPjF87ajT7qZmGP5amBn88Bfx+FpMEc6y4D01HW88hvZwEMYmLFMQU 4qqQ5IQTKpXz3eKrmTmTki8HZ+9ULHwLDx5ExIduyaGeXF1dwHg= =XY4U -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7098c3fd-f483-7100-4556-95f0967023df%40gmail.com.
Re: [qubes-users] Re: QSB #050: Reinstalling a TemplateVM does not reset the private volume
Claudio Chinicz: > Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this > may take some time... Don't think Mirage supports running as UpdateVM. Try a Debian or Fedora based AppVM instead. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d30a6211-df1b-1b2e-8af9-2663b54eec15%40danwin1210.me.
[qubes-users] Re: QSB #050: Reinstalling a TemplateVM does not reset the private volume
Hi Andrew, After removing all Whonix related templates and VMs, I've folllowed the link you suggested (https://www.whonix.org/wiki/Qubes/Install) and run into errors (see below). Any ideas why the "sudo qubesctl state.sls qvm.anon-whonix" fails and reports the whonix-gw and ws are missing? I thought it would install the templates anew, specially because there are instructions saying we should first remove whonix completely. Best [claudio@dom0 ~]$ sudo qubesctl state.sls qvm.anon-whonix [ERROR ] Command '['systemd-run', '--scope', 'qubes-dom0-update', '-y', '--best', '--allowerasing', '--disablerepo=*', '--enablerepo=qubes-templates-community', '--clean', '--action=install', 'qubes-template-whonix-ws-15']' failed with return code: 1 [ERROR ] stdout: Running scope as unit: run-r73c74b031ca0467aa7984ab0632f7f78.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [ERROR ] retcode: 1 [ERROR ] Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r73c74b031ca0467aa7984ab0632f7f78.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [WARNING ] /var/cache/salt/minion/extmods/states/ext_state_qvm.py:142: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6 status = Status(retcode=1, result=False, stderr=err.message + '\n') [ERROR ] == ['features'] == Virtual Machine does not exist! == ['tags'] == [SKIP] Skipping due to previous failure! [ERROR ] Command '['systemd-run', '--scope', 'qubes-dom0-update', '-y', '--best', '--allowerasing', '--disablerepo=*', '--enablerepo=qubes-templates-community', '--action=install', 'qubes-template-whonix-gw-15']' failed with return code: 1 [ERROR ] stdout: Running scope as unit: run-r40ec4f8030284021a2f80d44af49d36f.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [ERROR ] retcode: 1 [ERROR ] Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r40ec4f8030284021a2f80d44af49d36f.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... [ERROR ] == ['features'] == Virtual Machine does not exist! == ['tags'] == [SKIP] Skipping due to previous failure! local: -- ID: template-whonix-ws-15 Function: pkg.installed Name: qubes-template-whonix-ws-15 Result: False Comment: Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r73c74b031ca0467aa7984ab0632f7f78.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... Started: 11:16:43.589367 Duration: 5101.908 ms Changes: -- ID: whonix-ws-tag Function: qvm.vm Name: whonix-ws-15 Result: False Comment: == ['features'] == Virtual Machine does not exist! == ['tags'] == [SKIP] Skipping due to previous failure! Started: 11:16:48.694020 Duration: 17.289 ms Changes: -- ID: whonix-ws-update-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy Result: True Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is in correct state Started: 11:16:48.713516 Duration: 3.164 ms Changes: -- ID: whonix-get-date-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.GetDate Result: True Comment: File /etc/qubes-rpc/policy/qubes.GetDate is in correct state Started: 11:16:48.716793 Duration: 1.201 ms Changes: -- ID: template-whonix-gw-15 Function: pkg.installed Name: qubes-template-whonix-gw-15 Result: False Comment: Error occurred installing package(s). Additional info follows: errors: - Running scope as unit: run-r40ec4f8030284021a2f80d44af49d36f.scope Using mirage-firewall-wifi as UpdateVM to download updates for Dom0; this may take some time... Started: 11:16:48.718085 Duration: 2780.185 ms Changes: -- ID: whonix-gw-tag Function: qvm.vm Name: whonix-gw-15 Result: False Comment: == ['features'] == Virtual Machine does not exist! == ['tags'] == [SKIP] Skipping due to previous failure! Started: 11:16:51.498524 Duration: 15.627 ms Changes: -- ID: whonix-gw-update-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy Result: True Comment: File
Re: [qubes-users] Re: QSB #050: Reinstalling a TemplateVM does not reset the private volume
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 25/07/2019 8.21 PM, Andrew David Wong wrote: > On 25/07/2019 3.27 AM, Claudio Chinicz wrote: >> Hi Andrew, > >> I needed to reinstall Whonix-gw after having removed all >> templates. I've followed the instructions contained below on >> "Workaround" >> https://www.qubes-os.org/doc/reinstall-template/#manual-method >> and issued command "sudo qubes-dom0-update >> --enablerepo=qubes-templates-community qubes-template-whonix-gw" >> on dom0. > >> I've got a message "Using as UpdateVM to >> download updates for Dom0; this may take some time" but after >> many hours nothing happened. > >> Did I miss something? > >> Thanks > > > If you're downloading over a slow connection or over Tor > (sys-whonix), it could take a very, very long time, depending on > the speed of the circuits you're using. > > Also, are you sure that "qubes-template-whonix-gw" is the correct > package name and that there shouldn't be a version number (e.g., > 15)? > Since you specifically want to reinstall Whonix (or at least whonix-gw), it might be a better idea to remove the desired TemplateVM(s), then follow the Whonix documentation to install them again: https://www.whonix.org/wiki/Qubes/Install - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl06VnoACgkQ203TvDlQ MDCgKA//Z8Javw+f/OiDwpyJP09SdIEe7lnf35XUvRu5oNmmO/+FQTfGwPLyfcil yOmlD2PiZeH7RguCB98P7RvioWibA/R2vdacMS289N7j0y9b46FJdqpEHLfIVJWP 3qRW6yW7Sy6EnFiEqpbic7gqSIxDJanQMsw3Wn0QlJYs3VbIm3Z9FYkzGbHE8LQh wAvKKmpdDjCBfc8S2mwYkeROYmy51tA/+MevZhFq7uzRh/hHiKxXuhbSaAY+y4r5 /RQJ/qsUyRUeaXhJ8qSqIrUbFLLtNVxd/oY79vTKz4+UthMMPWOv5KRKQaY460Fi v35C71tUqkrwMB42VjnvPeODhq5GmUpVAoT22qMqkSclgfcbadFGQhhw0rsAXYp3 CBBVgGkzbchUCTo7ryO2NKeZzWIX0OeVkIAJ+G+YkOg3jYDQCBjMXhc43aw6WYk8 Zv4RqlxvWRxXE5LF1Jy5yIT0GCqM2F3e1DNvagAihr8VqbviZYo/i7izbilNxgyQ RMW8ZFvqfh/hYZJTiycWn3oVe5+f/+CNJg6kY2MFOGj/IbpOkzrdMAcRPfrhm32S HkAcSVrp/DDRI5fISxt80cCWvKNPGLqJrVWdKJriXKrBpCGrZnEMtGjrUUDBL6r/ vknmLV/n1c5PCKSgqejzJYGBTx+U0m0C7uXU42WMBkJGo0BYsTs= =sK+0 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5215701b-c229-9b68-0f77-3142744cd358%40qubes-os.org.
Re: [qubes-users] Re: QSB #050: Reinstalling a TemplateVM does not reset the private volume
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 25/07/2019 3.27 AM, Claudio Chinicz wrote: > Hi Andrew, > > I needed to reinstall Whonix-gw after having removed all templates. > I've followed the instructions contained below on "Workaround" > https://www.qubes-os.org/doc/reinstall-template/#manual-method and > issued command "sudo qubes-dom0-update > --enablerepo=qubes-templates-community qubes-template-whonix-gw" on > dom0. > > I've got a message "Using as UpdateVM to download > updates for Dom0; this may take some time" but after many hours > nothing happened. > > Did I miss something? > > Thanks > If you're downloading over a slow connection or over Tor (sys-whonix), it could take a very, very long time, depending on the speed of the circuits you're using. Also, are you sure that "qubes-template-whonix-gw" is the correct package name and that there shouldn't be a version number (e.g., 15)? - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl06VZIACgkQ203TvDlQ MDCY7A//bP5RkJ7J3QiQ31jHRcmMFQ6HnIJgj3eixfAhvcQhzwM8jF6vL8wsKVo1 2toSnOOrmCxSnf4uSgScXzQCOe7fE0p02Qv3VanrbauKF6t7yA89nqbNVjg8Lj4c B+wt2n3Xubq5jmBJP2JFzh/FAQlt98iDuckV65Sud2CkrAPcTgu+7GDyCh3p5VDp ySHCrjVRXWXeURihq1jmJOjRPcPVH2bYbMxDy16FuUX/HLNp5DXFtL2EWFNk+e2U AuZVwPCW/WW3WPRTddvwakYMz/8/cEl9mnlrAmuZeKPCKpvJmVtEBVVHPkoJ7S2T AwZ7afje6Kb8S5l2vo7CNxHN0MkVBkWHGEFKoA5RrJvEwWf4yCf6kyFE7AEMDEoj u6lgWcXZOzlj0lbpT8zeIrkecZ6Xol9enqITUXfmSGL3LRGMaSzy7J7Iu+q1ZIAW RuRIpZlgSg/99kVEmT9480kA84TxoUs+xfoV6/3qmQ7jlYV64gQwtvPds2fk8t2Q oxPDKxrpIYGCMB9m3t4GRBkG4WLJyz3p47HuJ68ht7EcwrNfX9p3TmK7VjAcl8WH A8EgiiglFuz58zk1hUWl2VWVRLtvKg/jzR4d/xV9KR5/vgyX/oEQ+F+WeV7dFMRa RwIKlFM+xFsE0AWFfzm39J0/cRrRJ5GTVF4dkc3GCm26aYY4gj4= =OYnS -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b2a70d2c-d9f6-157e-a302-3c435c4930e3%40qubes-os.org.
[qubes-users] Re: QSB #050: Reinstalling a TemplateVM does not reset the private volume
Hi Andrew, I needed to reinstall Whonix-gw after having removed all templates. I've followed the instructions contained below on "Workaround" https://www.qubes-os.org/doc/reinstall-template/#manual-method and issued command "sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw" on dom0. I've got a message "Using as UpdateVM to download updates for Dom0; this may take some time" but after many hours nothing happened. Did I miss something? Thanks On Thursday, 25 July 2019 07:14:34 UTC+3, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Dear Qubes Community, > > We have just published Qubes Security Bulletin (QSB) #050: Reinstalling > a TemplateVM does not reset the private volume. The text of this QSB is > reproduced below. This QSB and its accompanying signatures will always > be available in the Qubes Security Pack (qubes-secpack). > > View QSB #050 in the qubes-secpack: > > https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt > > Learn about the qubes-secpack, including how to obtain, verify, and read > it: > > https://www.qubes-os.org/security/pack/ > > View all past QSBs: > > https://www.qubes-os.org/security/bulletins/ > > ``` > > > ---===[ Qubes Security Bulletin #50 ]===--- > > 2019-07-24 > > > Reinstalling a TemplateVM does not reset the private volume > > Description > === > > In Qubes OS, we have the ability to reinstall a TemplateVM by running > `qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1] > This is supposed to reset the corresponding TemplateVM to the state of > the published package, i.e., no local changes should remain. > > One uncommon reason to perform such a reinstallation is that you suspect > that a TemplateVM may be compromised. In such cases, it is very > important that no local changes persist in order to ensure that the > TemplateVM is no longer compromised. > > Due to a regression in R4.0 [2], however, reinstalling a TemplateVM > using qubes-dom0-update does not completely reset all local changes to > that TemplateVM. Although the tool itself and our documentation claim > that the private volume of the TemplateVM is reset during > reinstallation, the private volume does not actually get reset. This > could allow a TemplateVM to remain compromised across a reinstallation > of that TemplateVM using qubes-dom0-update. > > Workaround > == > > Fixed packages are forthcoming. In the meantime, we recommend avoiding > the qubes-dom0-update method of reinstalling a TemplateVM. Instead, we > recommend manually removing the TemplateVM, then installing it again. > Detailed instructions for this manual method are documented here: > > https://www.qubes-os.org/doc/reinstall-template/#manual-method > > (Note that we have updated this page with a warning against the > automatic method.) > > Patching > = > > We expect to have fixed packages available next week. In the meantime, > please follow the workaround described in the previous section. We will > update this QSB when fixed packages are available. > > Credits > > > Thank you to Andrey Bienkowski > for > discovering and reporting this issue. > > References > === > > [1] https://www.qubes-os.org/doc/reinstall-template/ > [2] > https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192 > > > - -- > The Qubes Security Team > https://www.qubes-os.org/security/ > > ``` > > This announcement is also available on the Qubes website: > https://www.qubes-os.org/news/2019/07/24/qsb-050/ > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl05LEEACgkQ203TvDlQ > MDCA2Q//SBZ/v5eDrOauzdvQcqpgDJHGZyT34b1POcu8u4iAFWXBrnBSYgefDN0d > uMoxcZOy+q+GCy9r176MWl17m1td3ev/WnSgCwcUnDvegC2jLacixqMuoVxXDW3A > 6Mvu/Ui73O7bh3fAemoRHP7ts4ZKCZ9LGWEcIzlzR+Sg6jYDLC2sg3xRhp+G1GLX > Jduisn0ZnsTOGAgPnt0MZarn2MXoQt6A+6IwbN5g48Y/2anjiwz45Etkl9y2XTQZ > kfWelmuraf+adKrbqEjYEapl6ARuPsuoR1rb3sSEqVApHZY1syfAioLNHbOfRrmW > oqNPK/GnkOo7wWXyymZPQDDXor6GojYrLbocUcI+KcObiFnGEeqzzRp+s9lm641t > cXHdk+309U1H+z7DRKWeeGW2UZ39hof14bxemWqQnIaLYn0flOX15ke8DANDh9dF > 7BRDyTuoFBqOy3W8Ab1iJoVi5ZhyNDOOmzXzkvqyP0lzAtX2AtJlXWUGMIAo+Pqp > z6JH3qXbpBZgJb71qIOU85Eb9FfYgseQa9y2msswiGCh/xpv+/il7WP577/w/FKr > GzV/h2Bw/QTcFj+nLMCnCVF0RZ8XwZ9wz6p/Qy4DxYseNyV0C4efv0zrErzX9a4x > /Ug8jcexTq96sawNTCLVIiIIdAtsIy3y7NCDQtjswiIxVCZKMcQ= > =5Wik > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion
