[qubes-users] Trying to create an OSINT VM with Qubes Fedora template: Need help getting pip to work

Hello there all,

I am currently following the instructions to create an OSINT VM Michael Bazzell’s “Open Source Intelligence Techniques 8th Edition.” Naturally I’m trying to avoid installing a whole new OS (Ubuntu is recommended by the author) or to have a dedicated laptop for this. I figured it would be a fun experiment to see how far I could get with Qubes before I ran into problems.

So far, issues are minor but when I hit a roadblock, like the below terminal text, I’m ill-prepared to troubleshoot it myself. Can someone help me understand what I’m looking at and how to fix it so I can install packages via pip onto my Fedora templateVM? Thank you

Qubes version: 4.0

Problem: Need to install recommended OSINT tools to Fedora 32 templateVM, user is inexperienced with Linux and troubleshooting issues.
Solutions attempted: YOLOing it and figuring out how to install each package as best I can, as I come across them, bypassing the ones which I have difficulty installing.

Relevant Terminal text:

[user@fedora-32 ~]$ sudo -H python3 -m pip install instalooter
WARNING: Running pip install with root privileges is generally not a good idea. Try python3 -m pip install --user instead.
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by ‘NewConnectionError(’<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7a2f64242310>: Failed to establish a new connection: [Errno -2] Name or service not known’)’: /simple/instalooter/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by ‘NewConnectionError(’<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7a2f642427c0>: Failed to establish a new connection: [Errno -2] Name or service not known’)’: /simple/instalooter/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by ‘NewConnectionError(’<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7a2f64242d90>: Failed to establish a new connection: [Errno -2] Name or service not known’)’: /simple/instalooter/
^CERROR: Operation cancelled by user

Hello there all,

I am currently following the instructions to create an OSINT VM Michael Bazzell's "Open Source Intelligence Techniques 8th Edition."

Its a good book. I do wish he had a chapter for Qubes in it. I think the only reason Michael doesn't push Qubes as a platform is that it has a steep learning curve that not many are willing to take on. If you do Qubes anyway and the learning curve is Ok, then you will find Qubes to be a much more flexible platform in the long run.

Naturally I'm trying to avoid installing a whole new OS (Ubuntu is recommended by the author) or to have a dedicated laptop for this. I figured it would be a fun experiment to see how far I could get with Qubes before I ran into problems.

All the way I'm sure.

So far, issues are minor but when I hit a roadblock, like the below terminal text, I'm ill-prepared to troubleshoot it myself. Can someone help me understand what I'm looking at and how to fix it so I can install packages via pip onto my Fedora templateVM? Thank you

First templates do not have network access by default so you may need a proxy setup.

By default pip needs/wants to install directly into the system space (/usr/local/) which on a template is not shared with the AppVM. Because this directory is not even presented to an AppVM file system it wont be useable in the AppVM. It would need to be installed in the AppVM itself if you want it installed in /usr/local.

The problem is, security wise, its a bad idea to run foreign code (pip's package installer scripts) as root in a template. You could easily compromise every AppVM on the system by introducing malicious code. That is way pip was warning about running as root.

But if you use the "--user" flag as the error message says then pip can install the packages an AppVM with everything installed into the user's home directory. That way the user has control over the env and can choose which environment they want to use.

If you were wanting to have the ability to start from a pristine starting point for each user session then you might want to either to create a dvm or create a default AppVM which can be cloned as often as you like.

Relevant Terminal text:
[user@fedora-32 ~]$ sudo -H python3 -m pip install instalooter

$ sudo -H python3 -m pip install --user instalooter

The above will install in the users directory instead

Always use a VPN or Whonix. – You received this message because you are subscribed to the Google Groups “qubes-users” group. To unsubscribe from this group and stop receiving emails from it, send an email to . To view this discussion on the web visit .

I appreciate all the responses. The AppVM approached turned out to be ideal anyway: what didn’t get installed via pip to the templateVM got installed to a dedicated OSINT “template” AppVM. That way, like steve suggested, I can clone it at will so I can have a clean start point each time.

As an aside, I don’t mind the learning curve honestly for this OS, I love it. I just had to learn to actually talk and ask for help when it comes to troubleshooting issues I come across. The OS itself is a little intimidating for a novice, but all it takes is some work. Appreciate this response steve, thank you it did help.

Sorry for the double post, I’m unfamiliar with google groups. Floyd: I’ll keep that in mind regarding the tools he suggests. For one, I’m not installing chrome anytime soon. I’ll try to stick to open source, but honestly, I’m probably gonna focus on maintaining anonymity and effectiveness with how I treat his book. And the tools first usage will certainly be a crash course for me. If I run into video codec problems with this install and find it too much of a pain, I’ll try the debian install for sure. I’m actually kinda interesting in seeing what you put together, do you have a link to that template handy?

And yes, whonix-Qubes with a VPN to make sure google plays nice with me would be the plan. Thank you.

For one, I’m not installing chrome anytime soon. I’ll try to stick to open source,

There are times when Firefox doesn’t want to play nice with some websites, and trying an alternative browser can help identify those issues. When that happens I try the Chromium browser which is essentially the Google browser sourcecode but compiled as to leave out the intrusive Google spying features. It is open source so the only question is do you trust that the people maintaining this browser to have left out enough. While I will not use it as my primary browser I do sometimes use it for testing purposes. I have found that it generally works well for media files and scripts that firefox may refuse to run with.

Steve

Thanks for the info. Looks like I’ll have a Chromium install on the OSINT VM as well. Thank you.