Make Whonix fail better after updates to Templates

[bnvk]

@adrelanos I just ran some issues with Whonix after running recent updates to one of my TemplateVMs (I forget which). The issues borders on UX and engineering and sys admin.

The first issue was basically that my ProxyVM couldn't connect to Tor and showed the following pop-up message:

Tor reports: 
Dec 17 10:52:52.976 [notice] Tor v0.2.7.6 (git-605ae665009853bd) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Dec 17 10:52:52.976 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 17 10:52:52.976 [notice] Read configuration file "/etc/tor/torrc".
Dec 17 10:52:52.979 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied
Dec 17 10:52:52.979 [warn] Failed to parse/validate config: Couldn't access/create private data directory "/var/lib/tor/.tor"
Dec 17 10:52:52.979 [err] Reading config failed--see warnings above. 

There was other CLI instructions on how to fix the issue which involved tor --verify-config however, trying to run these commands as instructed in the ProxyVM and TemplateVM came up with permissions errors!

So I created another ProxyVM and starting that, I was presented with a message that instructed me to run apt-get purge on two packages. After purging and using this new ProxyVM things are ok.

Since i'm running Whonix 11 at the moment maybe you've worked on / made these better in Whonix 12, but the goal is to get users to not need to run commands from CLI to perform updates.

[adrelanos]

Did you previously enable the testers repository?

The full output of the error message should been similar to this one?

ERROR: Tor Config Check Result:
Your /etc/tor/torrc file contains at least one error.

(Tor exit code: 1)

Tor reports:
Dec 17 17:41:45.553 [notice] Tor v0.2.7.5 (git-6184c873e90d93b2) running on Linux with Libevent 2.0.21-> stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Dec 17 17:41:45.553 [notice] Tor can't help you if you use it wrong! Learn how to be safe at > https://www.torproject.org/download/download#warning
Dec 17 17:41:45.553 [notice] Read configuration file "/etc/tor/torrc".
Dec 17 17:41:45.557 [warn] Failed to parse/validate config: Unknown option 'x'. Failing.
Dec 17 17:41:45.557 [err] Reading config failed--see warnings above.

You have to fix this error, before you can use Tor.

Try to look at this report yourself by running. dom0 -> Start Menu -> ServiceVM: sys-whonix -> Terminal

sudo -u debian-tor tor --verify-config

And.

sudo -u debian-tor tor --verify-config -f /etc/tor/torrc 

To try to fix this, please open your Tor config file.

dom0 -> Start Menu -> ServiceVM: sys-whonix -> Torrc
or in Terminal: sudo nano /etc/tor/torrc 

Please restart Tor after fixing this error.

dom0 -> Start Menu -> ServiceVM: sys-whonix -> Restart Tor 
or in Terminal: sudo service tor restart 

Restart whonixcheck after fixing this error.

dom0 -> Start Menu -> ServiceVM: sys-whonix -> Whonix Check
or in Terminal: whonixcheck

If you know what you are doing or if this is a false positive, feel free to disable this check. Create a file > /etc/whonix.d/50_whonixcheck_user and add:

whonixcheck_skip_functions+=" check_tor_config "

This is supposed to be shown if the user added something like invalidcommand to /etc/tor/torrc rather than failing silently. In that case, the instruction to run sudo -u debian-tor tor --verify-config is okay as part of actual debug instructions. Users aren't instructed to run that command inside the TemplateVM.

Please post the output of.

sudo ls -la /var/lib/tor

And.

sudo ls -la /var/lib/tor/.tor

Which way did you upgrade? apt-get command line or apper?

the goal is to get users to not need to run commands from CLI to perform updates.

That error popup and sudo -u debian-tor tor --verify-config is not what I supposed to happen during a upgrade.

the goal is to get users to not need to run commands from CLI to perform updates.

Certainly a desirable goal. However, I am afraid, it's imho unrealistic. See this non-Whonix, general Debian issue (that happens to be hosted at Whonix issue tracker), Qubes templates: graphical updater (Apper) broken.

[adrelanos]

Did you previously enable the testers repository?

The full output of the error message should been similar to this one?

ERROR: Tor Config Check Result:
Your /etc/tor/torrc file contains at least one error.

(Tor exit code: 1)

Tor reports:
Dec 17 17:41:45.553 [notice] Tor v0.2.7.5 (git-6184c873e90d93b2) running on Linux with Libevent 2.0.21-> stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Dec 17 17:41:45.553 [notice] Tor can't help you if you use it wrong! Learn how to be safe at > https://www.torproject.org/download/download#warning
Dec 17 17:41:45.553 [notice] Read configuration file "/etc/tor/torrc".
Dec 17 17:41:45.557 [warn] Failed to parse/validate config: Unknown option 'x'. Failing.
Dec 17 17:41:45.557 [err] Reading config failed--see warnings above.

You have to fix this error, before you can use Tor.

Try to look at this report yourself by running. dom0 -> Start Menu -> ServiceVM: sys-whonix -> Terminal

sudo -u debian-tor tor --verify-config

And.

sudo -u debian-tor tor --verify-config -f /etc/tor/torrc 

To try to fix this, please open your Tor config file.

dom0 -> Start Menu -> ServiceVM: sys-whonix -> Torrc
or in Terminal: sudo nano /etc/tor/torrc 

Please restart Tor after fixing this error.

dom0 -> Start Menu -> ServiceVM: sys-whonix -> Restart Tor 
or in Terminal: sudo service tor restart 

Restart whonixcheck after fixing this error.

dom0 -> Start Menu -> ServiceVM: sys-whonix -> Whonix Check
or in Terminal: whonixcheck

If you know what you are doing or if this is a false positive, feel free to disable this check. Create a file > /etc/whonix.d/50_whonixcheck_user and add:

whonixcheck_skip_functions+=" check_tor_config "

This is supposed to be shown if the user added something like invalidcommand to /etc/tor/torrc rather than failing silently. In that case, the instruction to run sudo -u debian-tor tor --verify-config is okay as part of actual debug instructions. Users aren't instructed to run that command inside the TemplateVM.

Please post the output of.

sudo ls -la /var/lib/tor

And.

sudo ls -la /var/lib/tor/.tor

Which way did you upgrade? apt-get command line or apper?

the goal is to get users to not need to run commands from CLI to perform updates.

That error popup and sudo -u debian-tor tor --verify-config is not what I supposed to happen during a upgrade.

the goal is to get users to not need to run commands from CLI to perform updates.

Certainly a desirable goal. However, I am afraid, it's imho unrealistic. See this non-Whonix, general Debian issue (that happens to be hosted at Whonix issue tracker), Qubes templates: graphical updater (Apper) broken.

[marmarek]

What is status of this? One time error, to be closed? Or some fix is needed here?

[marmarek]

What is status of this? One time error, to be closed? Or some fix is needed here?

[adrelanos]

I am waiting for further information from @bnvk.

[adrelanos]

I am waiting for further information from @bnvk.

[bnvk]

Haven't noticed this issue for awhile. Closing it for now!

[bnvk]

Haven't noticed this issue for awhile. Closing it for now!