diff --git a/docs/development/testing_continuous_integration.rst b/docs/development/testing_continuous_integration.rst index b62e91a53..ff0a54c2e 100644 --- a/docs/development/testing_continuous_integration.rst +++ b/docs/development/testing_continuous_integration.rst @@ -102,3 +102,77 @@ To run the tests locally: You can use ``./devops/gce-nested/ci-runner.sh`` to provision the remote hosts while making changes, including rebuilding the Debian packages used in the Staging environment. See :doc:`virtual_environments` for more information. + +Debugging CI Issues and Connecting to Remote Instances +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +For the staging tests, a container will be spawned on CircleCI, which will then +create a Google Compute instance with nested virtualization and will set up the +virtual environment and run the playbooks on that remote. + +Cloud instances are deleted after the test run is completed, whether a test run +passes or fails. In order to debug the state of the remote instance, we must first +ensure that the instance is not automatically destroyed. Note that there is a also +a cron job that destroys instances daily as well. The following is an example +of a commit to apply to a branch in order disable the deletion for the Focal staging job: + +.. code:: Diff + + diff --git a/.circleci/config.yml b/.circleci/config.yml + index 4a9b0bd4c..d9aea01b8 100644 + --- a/.circleci/config.yml + +++ b/.circleci/config.yml + @@ -354,13 +354,6 @@ jobs: + BASE_OS=focal make ci-go + no_output_timeout: 35m + + - - run: + - name: Ensure environment torn down + - # Always report true, since env should will destroyed already + - # if all tests passed. + - command: make ci-teardown || true + - when: always + - + - store_test_results: + path: ~/sd/junit + + diff --git a/devops/gce-nested/ci-go.sh b/devops/gce-nested/ci-go.sh + index 850324ecc..776120df4 100755 + --- a/devops/gce-nested/ci-go.sh + +++ b/devops/gce-nested/ci-go.sh + @@ -16,4 +16,3 @@ export BASE_OS="${BASE_OS:-xenial}" + + ./devops/gce-nested/gce-start.sh + ./devops/gce-nested/gce-runner.sh + -./devops/gce-nested/gce-stop.sh + diff --git a/devops/scripts/create-staging-env b/devops/scripts/create-staging-env + index 3b9a2c7f8..df2ccfe3d 100755 + --- a/devops/scripts/create-staging-env + +++ b/devops/scripts/create-staging-env + @@ -33,7 +33,7 @@ printf "Creating staging environment via '%s'...\\n" "${securedrop_staging_scena + virtualenv_bootstrap + # Are we in CI? Then lets do full testing post install! + if [ "$USER" = "sdci" ]; then + - molecule test -s "${securedrop_staging_scenario}" + + molecule test --destroy=never -s "${securedrop_staging_scenario}" + else + molecule "${MOLECULE_ACTION:-converge}" -s "${securedrop_staging_scenario}" "${EXTRA_ANSIBLE_ARGS[@]}" + fi + +Once that commit is pushed, run the appropritate ``staging-test-with-rebase`` job +with ssh using with CircleCI. Once logged into that container, you can ssh into the +Google Compute host: + +.. code:: sh + + ssh -i /tmp/gce-nested/gce sdci@ + +Once on the GCP host, the SecureDrop source is in ``/home/sdci/securedrop-source`` +and you may activate the virtualenv, list the molecule instances and connect to +VM instances: + +.. code:: sh + + cd securedrop-source + source .venv/bin/activate + molecule list + molecule login -s libvirt-staging-focal --host app-staging diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst index 52525cb9c..32547735b 100644 --- a/docs/set_up_admin_tails.rst +++ b/docs/set_up_admin_tails.rst @@ -4,7 +4,7 @@ Set up the *Admin Workstation* .. _set_up_admin_tails: Earlier, you should have created the *Admin Workstation* Tails USB along with a -persistence volume for it. Now, we are going to add a couple more features to +persistent volume for it. Now, we are going to add a couple more features to the *Admin Workstation* to facilitate SecureDrop's setup. If you have not switched to and booted the *Admin Workstation* Tails USB on your @@ -190,22 +190,32 @@ in the SecureDrop repository that you just cloned. To use the template: .. code:: sh cp ~/Persistent/securedrop/tails_files/securedrop-keepassx.kdbx \ - ~/Persistent/keepassx.kdbx + ~/Persistent/Passwords.kdbx - Open the KeePassXC program |KeePassXC| which is already installed on Tails -- Select **Database**, **Open database**, and navigate to the location of - **~/Persistent/keepassx.kdbx**, select it, and click **Open** -- Check the **password** box and hit **OK** +- Select **Database ▸ Open database**, and navigate to the location of + **~/Persistent/Passwords.kdbx**, select it, and click **Open** +- Leave the password blank and click **OK**. If you receive an "Unlock failed" + prompt, click **Retry with empty password**. - Edit entries as required. -- Select **Database** and **Save Database** to save your changes. +- Select **Database ▸ Save Database** to save your changes. -The next time you use KeepassXC, the database at ``~/Persistent/keepassx.kdbx`` -will be opened by default. +The next time you use KeepassXC, the database at ``~/Persistent/Passwords.kdbx`` +will be selected by default. -.. tip:: If you would like to add a master password, navigate to **Database** and - **Change master key**. Note that since each KeePassXC database is stored - on the encrypted persistent volume, this additional passphrase is not necessary. +KeePassXC will show a warning every time you attempt to open a database without +entering a password. Because your persistent volume is encrypted, setting up this +additional password is not strictly required. It provides some additional +protection, e.g., if a computer is left running, at the cost of convenience. + +For passwordless access without warnings, you can protect the database using a +key file, via **Database ▸ Database settings ▸ Security ▸ Add additional protection +▸ Add Key File ▸ Generate**. This key file has to be stored in your Persistent +folder and it must be selected when you open the database. + +After configuring the password database, restart KeePassXC once to verify +that you are able to access it as expected. .. warning:: You will not be able to access your passwords if you forget the master password or the location of the key