Whonix-17 - sys-net based on fedora-38-minimal makes problems

Hi guys,

I’ve prepared my own sys-firewall and sys-net based on fedora-38-minimal.

All works well except sys-whonix.

Below you’ll find the different sdwdate.log files. Both times I’ve used the same sys-firewall based on fedora-38-minimal template. The only difference is in the used sys-net: The first time it’s the one based on fedora-38-minimal template, the second time it’s the original one, built by Qubes’ salt script.

Connection sys-whonix ↔ sys-firewall-minimalFedora ↔ sys-net-minimalFedora:

__ Conclusion: No Tor circuit established yet.
__ ### END: ### Exiting with exit_code ‘2’ indicating ‘wait, show busy icon and retry.’.
2023-10-30 11:47:44 - sdwdate - INFO - PREPARATION RESULT: onion-time-pre-script recommended to wait. Consider running systemcheck for more information.
2023-10-30 11:47:44 - sdwdate - INFO -
2023-10-30 11:47:46 - sdwdate - INFO - PREPARATION: running onion-time-pre-script…
2023-10-30 11:47:46 - sdwdate - INFO -
__ ### START: ### /usr/libexec/helper-scripts/onion-time-pre-script
__ Status: Subsequent run after boot.
__ Static Time Sanity Check: Within minimum time ‘Mon Jun 12 00:00:00 UTC 2023’ and expiration timestamp ‘Tue May 17 10:00:00 UTC 2033’, ok.
__ Tor reports: NOTICE BOOTSTRAP PROGRESS=0 TAG=starting SUMMARY=“Starting”
__ Tor circuit: not established
__ Tor Consensus Time Sanity Check: Clock within consensus parameters consensus/valid-after 2023-10-30 10:00:00 and consensus/valid-until 2023-10-30 13:00:00.
__ Conclusion: No Tor circuit established yet.
__ ### END: ### Exiting with exit_code ‘2’ indicating ‘wait, show busy icon and retry.’.
2023-10-30 11:47:46 - sdwdate - INFO - PREPARATION RESULT: onion-time-pre-script recommended to wait. Consider running systemcheck for more information.
2023-10-30 11:47:46 - sdwdate - INFO -

Connection sys-whonix ↔ sys-firewall-minimalFedora ↔ sys-net (Qubes-default):

2023-10-30 11:54:05 - sdwdate - INFO - replay_protection_time : 2023-10-30 11:36:26
2023-10-30 11:54:05 - sdwdate - INFO - old_unixtime_human_readable : 2023-10-30 11:54:06
2023-10-30 11:54:05 - sdwdate - INFO - new_unixtime_human_readable : 2023-10-30 11:53:37
2023-10-30 11:54:05 - sdwdate - INFO - Instantly setting the time by using command: /bin/date --utc “+%Y-%m-%d %H:%M:%S” --set “@1698666816.704068899
2023-10-30 11:53:36 - sdwdate - INFO - /bin/date output: 2023-10-30 11:53:36
2023-10-30 11:53:36 - sdwdate - INFO - Time Replay Protection: write 1698666817 to file: /var/lib/sdwdate/time-replay-protection-utc-unixtime
2023-10-30 11:53:36 - sdwdate - INFO - Time Replay Protection: write 2023-10-30 11:53:37 to file: /var/lib/sdwdate/time-replay-protection-utc-humanreadable
2023-10-30 11:53:36 - sdwdate - INFO - Sleeping for 114 minutes, ok.
2023-10-30 11:53:36 - sdwdate - INFO - running command: sleep 6819.921395275
2023-10-30 11:53:36 - /usr/bin/whonix-gateway-firewall - OK: Loading Whonix firewall…
2023-10-30 11:53:36 - /usr/bin/whonix-gateway-firewall - OK: Skipping firewall mode detection since already set to ‘full’.
2023-10-30 11:53:36 - /usr/bin/whonix-gateway-firewall - OK: (Full torified network access allowed.)
2023-10-30 11:53:37 - /usr/bin/whonix-gateway-firewall - OK: Whonix firewall loaded.

Any ideas?

Idea 1: To start with, did you run “systemcheck” as prompted?
Idea 2: This looks like Tor not being able to establish a connection… in which case, you should check the Tor logs. Easiest way is to right-click on the Padlock in the notification area → sys-whonix → Tor Control Panel , and select the Logs tab.

Here’s the output of “systemcheck”:

[INFO] [systemcheck] sys-whonix | Whonix-Gateway | whonix-gateway-17 TemplateBased ProxyVM | Mon Oct 30 05:00:52 PM UTC 2023
[ERROR] [systemcheck] check network interfaces Result: network interface eth0 not up!

Try to manually start Whonix networking.

sudo systemctl restart networking

Or reboot.

Debugging information:
sudo --non-interactive cat /sys/class/net/eth0/carrier failed.

If this error happens only during upgrading or is transient this error can be safely ignored.

If you know what you are doing, feel free to disable this check.
Create a file /etc/systemcheck.d/50_user.conf and add:
systemcheck_skip_functions+=" check_network_interfaces "
zsh: exit 1 systemcheck

Execution of “sudo systemctl restart networking” doesn’t change anything.

I followed these 2 docs to build sys-net-minimal, but used fedora-38-minimal template and the corresponding fedora packages instead of debian-minimal and debian packages.

How to set the template of sys-net to debian-minimal? - #14 by tanky0u

As said: All tasks the default sys-net shall do, my sys-net-minimal does, too.

But it seems there’s got some special configuration not mentioned, what is needed for sys-whonix to function.

The difference I found is in this file in sys-whonix: “/sys/class/net/eth0/carrier”

If connected over sys-net (qubes default) the output of
“sudo cat /sys/class/net/eth0/carrier” is “1”

If connected over sys-net-minimal the output of
“sudo cat /sys/class/net/eth0/carrier” is “Invalid argument”

In both versions the file exists and has got a length of 1 byte and the “Ethernet Network Connection” is shown as “Disconnected” in Network Manager.

This is really the “Link” status of eth0, which is “not connected” in your case. So for some reason, that is unclear to me at this time, your network connection from sys-whonix to sys-firewall-minimalFedora doesn’t work at all.

Why did you create your own sys-net/firewall qubes? What was the motivation/reasoning behind this?

The idea was, not to use the bloated fedora-38-xfce template, what is for daily tasks ok, but for system security related tasks to overloaded with unneedet packages and programs.

Anyone else with some idea what I can do?

My goal is, to put my minimized templates into the community repository when they are ready …

Just to be sure, in this setup:

Connection sys-whonix ↔ sys-firewall-minimalFedora ↔ sys-net-minimalFedora:

If you use some test appvm qube based on fedora/debian instead of sys-whonix then will internet work there?

Connection test-appvm ↔ sys-firewall-minimalFedora ↔ sys-net-minimalFedora:

Yes, no problems. Only sys-whonix denies to work.

I have no idea if this is related. Largely because it’s whonix-16, but also because I was able to update dom0 through whonix.

But when I tried to update [edit: when I tried to update the whonix template] it insisted that sys-whonix wasn’t “torified” and wouldn’t update. Furthermore, it only happened on one system of mine (out of two) and completely reinstalling whonix didn’t resolve the issue. I ultimately just had to delete whonix off that system since it wouldn’t update but WOULD light up the updates needed, obscuring other needed updates.

But just in case it IS somehow related:

Can’t update whonix-gw-16 - User Support / General - Qubes OS Forum (qubes-os.org)

Meanwhile I’ve got reinstalled the whonix templates: The same result.

My next try will be to recreate my minimal templates for sys-firewall and sys-net. - This time with exact documentation, so we can check my setup.

My bad