Recovery

From Kicksecure
Revision as of 12:02, 21 December 2021 by Nurmagoz (talk | contribs)
Jump to navigation Jump to search


Introduction

The goal of this wiki page is to provide the user with knowledge for higher system reliability, robustness, increases uptime, backup, restoration, recovery and repair skills.

It is prudent to acquire these skills prior to an eventual later grave issue such as an unbootable VM or even unbootable host operating system, data loss or similar. This is because naturally for most users once they are affected by a grave issue, the mind goes into "issue solving mode", which can be stressful and less productive, specifically when it is currently a bad time to acquire these skills due to other more pressing priorities. By learning these skills in advance, one can the skills during a more appropriate time in in a much more positive, relayed environment which might potentially greatly increase a user's ability and lower the time required to fix their broken system, should this happen in the future.

Useful Skills

Useful Habits

  • Keep the log of any system upgrades as well as software installation processes.
  • Keep one or multiple root virtual terminal tabs in a terminal emulator open during actions which might break to unbootable systems, data loss or other issues during software installation or upgrades. The same goes for one or multiple root virtual consoles. This advice (for higher ability to easily recover from issuing gaining root) conflicts with the general security advice from the root wiki page (for better security).

Recovery Mode

Info Non-Qubes-Whonix only.

If an error occurs that prevents Kicksecure from booting, it is possible to try and boot Kicksecure in recovery mode to fix the problem. It is advisable to learn how to use recovery mode while everything is still functional in case of future issues.

  1. After powering on a Non-Qubes-Whonix VM, you will see the virtual BIOS for a second, then the grub boot menu. The grub boot menu is easily identified by the first line of text which begins with GNU GRUB.
  2. Use the arrow keys to navigate and select Advanced Options for Kicksecure GNU/Linux.
  3. Press Enter.
  4. Choose the second option which at the end displays (recovery mode).
  5. Press Enter.
  6. Somewhere in the output, a message similar to the following will appear (it might be entangled with other debug output):

    Give root password for maintenance (Or press control + d to continue):

  7. Enter the root password.
  8. While typing, no asterisk symbols (*) will appear; the password must be typed "blind". [1]
  9. Press Enter.
  10. The default keyboard layout will be en-US. To change this setting, see: Keyboard Layout.
  11. Enter exit to continue booting or poweroff or reboot.

TODO: Explore whether networking is possible and how to transfer files out of the VM.

Virtual Consoles

An easier and more lightweight solution as alternative to recovery mode might be virtual consoles. If the graphical user interface is no longer starting, login to a virtual console might still be possible.

1. Prerequisite knowledge: Virtual Consoles.

2. Try to login in a virtual console in a different, still functional VM (virtual machine) as an exercise.

3. If that works, try login to virtual console in the broken VM.

Hard Drive Recovery

If no data needs be recovered, a complete re-installation might be easier.

If the host got unbootable due to hard drive issues:

  1. Damage control. Stop using the hard drive. This is because further use might add further damage.
  2. Make a full 1:1 raw clone of the hard drive.
  3. Data recovery. Unspecific to Kicksecure.

If a VM got unbootable due to hard drive issues:

Stop using the VM. This is because further use might add further damage.

  1. Create a full raw copy of the hard drive.
  2. Make a full 1:1 raw clone of the VM.
  3. Data recovery. Unspecific to Kicksecure.

Unlock User Account: Excessive Wrong Password Entry Attempts

See: Unlock User Account: Excessive Wrong Password Entry Attempts.

Chroot

If an error occurs that prevents Kicksecure from booting, it is possible to chrootarchive.org iconarchive.today icon into Kicksecure from a live CD to fix the problem.

A disk image must be downloaded for this purpose -- Debian Live imagesarchive.org iconarchive.today icon or Archisoarchive.org iconarchive.today icon are useful options for this procedure.

Virtualbox

In Virtualbox, navigate to the VM storage settings. At the second controller, click the optical disk icon and add the disk image.

In the Motherboard settings, move the Optical disk component to the top of the boot order, press OK and start the VM.

KVM

In virt-manager, click on the VM, click the settings icon at the top and click "Add Hardware". In "Storage", change the device type to "CDROM device" and add the disk image. Click "Finish" and at the boot options setting, move the CDROM to the top of the boot order.

Qubes-Whonix

This procedure is undocumented and unspecific to Kicksecure. See unspecific.

Booting into the Live CD

After booting into the Live CD, follow these steps.

1. List the available drives and partitions.

Click = Copy Copied to clipboard! fdisk -l

2. Mount the partition.

Click = Copy Copied to clipboard! mount /dev/sda1 /mnt

Replace "/dev/sda1" with the drive partition name.

3. Chroot into the partition.

Click = Copy Copied to clipboard! chroot /mnt /bin/bash

4. Optional: If the PATH variable is incorrect, it can be fixed with the following command.

Click = Copy Copied to clipboard! source /etc/profile

Serial Console

VirtualBox

Preparation

Host Preparation

Install socat on the host operating system. The following steps apply to Linux distributions.

Install package(s) socat following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion network Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the socat package(s).

Using apt command line --no-install-recommends optionOnion network Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends socat

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion network Logo.

5 Done.

The procedure of installing package(s) socat is complete.

Windows and macOS hosts: Undocumented, but should also work in theory. It is advised to research these using a non-Kicksecure VM such as Debian bookworm and learn it in a generic way which could then also be applied to Kicksecure.

VM Preparation

Inside the Kicksecure virtual machine where you want to enable the serial console, install the serial-console-enable package.

Install package(s) serial-console-enable following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion network Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the serial-console-enable package(s).

Using apt command line --no-install-recommends optionOnion network Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends serial-console-enable

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion network Logo.

5 Done.

The procedure of installing package(s) serial-console-enable is complete.

(Installed by default would be nice but it is not installed by default due to issue. TODO: add reference)

Read Only Serial Console

This option is very useful for capturing diagnostic output from a virtual machine. It allows a log of everything written to the kernel console to be obtained -- all console output is written to a plain text file from boot until shutdown. The logfile persists after VM shutdown, but is overwritten after the VM is shutdown and powered on again.

1. Enable the serial ports option.

Whonix-Workstation VM settingsSerial PortsTick enable

Configure the following settings:

  • Port Number: COM1 (default)
  • Port Mode: Raw File
  • Path/Address: /home/user/vbox-raw-file

2. View the file with a text editor.

Any text editor can be used for this purpose. For example to view the file with mousepad, run.

Click = Copy Copied to clipboard! mousepad /home/user/vbox-raw-file

3. Optional: View the file as it is being appended to from a terminal emulator.

The logfile is also compatible with other standard linux utlitites such as tail. To view it as it is being written, run.

Click = Copy Copied to clipboard! tail -f /home/user/vbox-raw-file

4. Retain the file contents.

After VM shutdown it may be useful to retain its contents by copying the vbox-raw-file elsewhere to make it a persistent log file. If this is desirable, run.

Click = Copy Copied to clipboard! cp /home/user/vbox-raw-file /home/user/vbox-console-log

Interactive Serial Console

This procedure does not yet work during the grub boot menu.

1. Enable serial ports on the host.

Whonix-Workstation VM settingsSerial PortsTick enable

Configure the following settings:

  • Port Number: COM1 (default)
  • Port Mode: Host Pipe
  • Option: uncheck Connect to existing pipe/socket
  • Path/Address: /home/user/vbox-socket-file

[2] [3]

2. Connect to the relevant unix domain socket file.

On the host, run the following socat command to connect to the unix domain socket file which is connected to the operating system running inside the virtual machine. [4]

Click = Copy Copied to clipboard! socat - UNIX-CONNECT:/home/user/vbox-socket-file

Depending on when the above command is run, nothing might appear. The reason is an interactive serial console will only show messages once connected to the serial console; old messages cannot be viewed that way. If the above command is run during early boot, then verbose messages will appear during boot. However, if you press Enter that should result in the virtual console asking for authentication.

3. Log in to the Kicksecure session.

Press Enter. The following prompt will appear. 

host login:

Do not enter your host login username! Enter your Kicksecure user login name, which is most likely user. Press Enter. The following prompt will appear. 

Password:

Enter the password for that user account; see Default Passwords. Press Enter.

Warning: the password will not be hidden by asterisk ("*") symbols. In other words, the password will be written in cleartext and could be read by anyone looking over your shoulder.

Also note that root logins are not possible by default.

Forum Discussion

https://forums.whonix.org/t/serial-console-in-virtualbox/8021archive.org iconarchive.today icon

KVM

See KVM, serial console.

See Also

Footnotes

  1. See also: Whonix Default Passwords.
  2. If an error like the following appears. 
    Failed to open a session for the virtual machine Whonix-Gateway-XFCE_15.0.0.4.9.

    NamedPipe#0 failed to connect to local socket /home/user/vbox-socket-file (VERR_FILE_NOT_FOUND).

    Result Code: NS_ERROR_FAILURE (0x80004005)
Component: ConsoleWrap
Interface: IConsole {872da645-4a9b-1727-bee2-5585105b9eed}

    Then you must uncheck Connect to existing pipe/socket.

  3. Click = Copy Copied to clipboard! vboxmanage modifyvm Whonix-Gateway-XFCE --uart1 0x3F8 4 --uartmode1=server /home/user/vbox-socket-file-gw Click = Copy Copied to clipboard! vboxmanage modifyvm Whonix-Workstation-XFCE --uart1 0x3F8 4 --uartmode1=server /home/user/vbox-socket-file-ws
  4. Click = Copy Copied to clipboard! socat - UNIX-CONNECT:/home/user/vbox-socket-file-gw Click = Copy Copied to clipboard! socat - UNIX-CONNECT:/home/user/vbox-socket-file-ws
Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Recovery&oldid=53840"