fix tutorials

2025-07-01 15:36:40 +00:00 · 2025-06-15 15:40:10 +02:00 · 2025-06-15 15:40:10 +02:00 · acb5942b39
commit acb5942b39
parent dd83120407
2 changed files with 132 additions and 10 deletions
--- a/docker-tor/index.md
+++ b/docker-tor/index.md
@ -0,0 +1,119 @@
 ---
 author: Anonymous
 date: 2025-01-31
 gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260"
 xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
 ---
 # How to use Docker containers on the whonix workstation
 ## How to install Docker
 As usual we install docker via apt like so:
 ```sh
 [workstation user ~]% sudo apt install docker.io docker-compose -y
 ```
 ## How to make sure that Docker pulls images through Tor
 ```sh
 [workstation user ~]% sudo docker pull alpine
 Using default tag: latest
 Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 10.152.152.10:53: read udp 10.152.152.11:33883->10.152.152.10:53: i/o timeout
 zsh: exit 1     sudo docker pull alpine
 ```
 Here as you can see when we try to pull an alpine image, docker can't pull it, to fix that we need to make sure that docker pulls through the localhost tor socks5 proxy on port 9050:
 ```sh
 [workstation user ~]% sudo mkdir /etc/systemd/system/docker.service.d/          
 [workstation user ~]% sudo vim /etc/systemd/system/docker.service.d/proxy.conf
 [workstation user ~]% cat /etc/systemd/system/docker.service.d/proxy.conf
 [Service]
 Environment="HTTP_PROXY=socks5://127.0.0.1:9050"
 Environment="HTTPS_PROXY=socks5://127.0.0.1:9050"
 ```
 Now that's created, we reload the systemd service and try to pull the alpine docker image again:
 ```sh
 [workstation user ~]% sudo systemctl daemon-reload                            
 [workstation user ~]% sudo systemctl restart docker
 [workstation user ~]% docker pull alpine
 Using default tag: latest
 permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=alpine&tag=latest": dial unix /var/run/docker.sock: connect: permission denied
 zsh: exit 1     docker pull alpine
 [workstation user ~]% sudo !!                      
 [workstation user ~]% sudo docker pull alpine
 Using default tag: latest
 latest: Pulling from library/alpine
 fe07684b16b8: Pull complete 
 Digest: sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715
 Status: Downloaded newer image for alpine:latest
 docker.io/library/alpine:latest
 ```
 And that's it! we managed to pull the alpine image as intended.
 ## Sidenotes
 1) you can't connect to the internet from a docker container that is in a whonix workstation, and the [whonix developers won't bother providing support for it](https://forums.whonix.org/t/how-can-you-make-a-docker-container-inside-whonix-workstation-connect-to-the-internet/21772/2)
 2) disabling the whonix firewall does not fix the issue either
 3) you cant edit the socsk5 port on whonix workstation by editing /etc/tor/torrc to try and set SOCKSPort to 0.0.0.0:9050, which would make it easy to access the tor socks port from the docker container.
 3) you can make a docker-compose.yml image with the docker container set to network_mode: host to be able to access the 9050 socks5 port on the 10.152.152.11 local IP, but it doesnt seem to be able to resolve domains either for some reason.
 ```
 [workstation user ~]% cat docker-compose.yml 
 services:
  myalpine:
    image: alpine
    tty: true
    network_mode: host
    environment:
      - 'HTTP_PROXY=socks5://host.docker.internal:9050'
      - 'HTTPS_PROXY=socks5://host.docker.internal:9050'
    extra_hosts:
      - host.docker.internal:host-gateway
 [workstation user ~]% sudo docker-compose down ; sudo docker-compose up -d
 Stopping user_myalpine_1 ... done
 Removing user_myalpine_1 ... done
 Creating user_myalpine_1 ... done
 [workstation user ~]% sudo docker container ls                          
 CONTAINER ID   IMAGE     COMMAND     CREATED          STATUS          PORTS     NAMES
 0752ecb83c6b   alpine    "/bin/sh"   43 seconds ago   Up 42 seconds             user_myalpine_1
 [workstation user ~]% sudo docker exec -it 0752 sh
 [workstation user ~]% sudo docker exec -it 0752 sh
 / # ip a
 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 52:54:00:e8:c3:50 brd ff:ff:ff:ff:ff:ff
    inet 10.152.152.11/18 brd 10.152.191.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fee8:c350/64 scope link 
       valid_lft forever preferred_lft forever
 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:8c:ad:6a:cd brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8cff:fead:6acd/64 scope link 
       valid_lft forever preferred_lft forever
 15: br-973a58a1c943: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:35:83:6e:bc brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-973a58a1c943
       valid_lft forever preferred_lft forever
    inet6 fe80::42:35ff:fe83:6ebc/64 scope link 
       valid_lft forever preferred_lft forever
 / # nc 10.152.152.11 -p 9050
 nc: bind: Address in use
 ```
 4) tested with a forgejo container, with the socks5 proxy set onto 10.152.152.11 on port 9050, it is unable to mirror repositories that are on external clearnet git instances.
 TLDR: if you run a docker container inside of a whonix workstation VM, it will remain truly isolated and unable to communicate with the internet.
--- a/forgejo-anon/index.md
+++ b/forgejo-anon/index.md
@ -276,8 +276,14 @@ Now in order to make sure our Forgejo instance is able to mirror external git re
    → cat gitea/gitea/conf/app.ini | tail -n 4
    [proxy]
    PROXY_ENABLED = true
-    PROXY_URL = **socks://tor-forgejo:9050/**
+    PROXY_URL = socks5://tor-forgejo:9050/
    PROXY_HOSTS = *
    [migrations]
    ALLOW_LOCALNETWORKS = true
    SKIP_TLS_VERIFY = true
    ALLOWED_DOMAINS = *
    BLOCKED_DOMAINS = 
    [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion]
    → docker-compose down ; docker-compose up -d
@ -286,6 +292,8 @@ Now in order to make sure our Forgejo instance is able to mirror external git re
 And now from there, we should be able to mirror external repositories on gitea by making the traffic go through Tor aswell. As an example, let's create a git mirror of the official [Monero](../monero2024/index.md) repository that currently sits on [Github](https://github.com/monero-project/monero):
 **SIDENOTE:** [you can't mirror clone repositories that are on other forgejo onion-only instances](https://codeberg.org/forgejo/forgejo/issues/8193)  due to an upstream issue in [curl](https://github.com/curl/curl/issues/17363)  So in the meantime, you can only use the mirror function to clone other clearnet repositories.
 ![](9.png) ![](10.png) ![](11.png)
 Now be aware that it's going to take longer than it usually would to get the repository due to the low bandwidth that Tor has, so be be patient and wait until it finishes:
@ -348,7 +356,7 @@ Then we can proceed with the rest of the instructions to push the commit to the
    → git remote add origin http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/nihilist/my-very-cool-repository.git
    [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository]
-    → **torsocks git push -u origin main**
+    → torsocks git push -u origin main
    Username for 'http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion': nihilist
    Password for 'http://nihilist@daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion':
    Enumerating objects: 3, done.
@ -463,14 +471,9 @@ Next, if you want a custom CSS theme like the one i have, **first be aware that
    → cd css
    [ Datura ] [ /dev/pts/6 ] [public/assets/css]
-    → wget https://git.nowhere.moe/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/public/assets/css/theme-space.css
+    → torsocks wget http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/public/assets/css/theme-space.css
-    --2024-11-23 20:25:50--  https://git.nowhere.moe/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/public/assets/css/theme-space.css
+    --2024-11-23 20:25:50--  http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/public/assets/css/theme-space.css
-    Resolving git.nowhere.moe (git.nowhere.moe)... 65.109.30.253
+       
    Connecting to git.nowhere.moe (git.nowhere.moe)|65.109.30.253|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 22754 (22K) [text/plain]
    Saving to: ‘theme-space.css’
    theme-space.css                100%[=================================================>]  22.22K  --.-KB/s    in 0s
    2024-11-23 20:25:50 (310 MB/s) - ‘theme-space.css’ saved [22754/22754]