Implements Debian9-based custom templates for all AppVMs #160
Conversation
There was a problem hiding this comment.
Thanks @conorsch this is looking good ! I have successfully ran this and all tests pass.
single messages correctly open in dispvm using gedit. However, I am experiencing some issues in opening (other) files: (see image below).
It seems like a bug in decrypt-sd-submission on sd-svs, I am currently investigating.
We should also note that the VMs are not updated as part of the template building, we should probably invoke whichever script we decide to implement in #24 during the template clone/creation phase
|
|
conorsch
force-pushed
the
131-implements-debian-based-custom-template
branch
2 times, most recently
from
3c8a925
to
b1c5b50
Compare
All of the `sd-*` VMs for the SecureDrop Workstation now use Debian 9 as the base template. This will allow us to use deb packages across the board for all AppVMs, as well as the hardened based image with a custom kernel in the near future, as well. Updates the test suites to accommodate for gpg v1/v2 output variance, as well as removes Fedora 28 as a permitted base for the AppVMs in the platform tests. This is a temporary measure: we don't want to reuse the system debian-9 TemplateVM, and should instead ship our own `securedrop-workstation-template` package to be installed via dom0.
Also caught an oversight where the decrypt-sd-submission script was never ported to python3; did that now. Removed the Salt logic creating the ~/Sources dir and placed that in the script; used python3 syntax and broke the script, so that's how I caught it. One other small change was required for Python 3 compatibility: updating a file.write operation to write bytes, not strings.
Revises sd-journalist paths to be system-wide, same as with the other template migrations.
Updating paths in the config tests, so that e.g. in sd-journalist, the non-`/usr/local` paths are referenced. Expands the VM config tests to check templates and a bit more networking info.
Simplifies list-vms script via hardcoding Tried to avoid hardcoding, but got too clever. We'll wait for when we have tags for all VMs.
|
Both concerns are addressed, @emkll, please have another look. There was a single change required for the Python 3 port (file-writing bytes-vs-strings, standard fare for 2 to 3 porting), and I updated the destroy logic to be hardcoded. In #135 we can make that logic dynamic via tags, let's keep it simple for now. Confirmed opening plaintext files (in gedit) and images (which opened in Firefox; flagged in #158 for follow-up). |
There was a problem hiding this comment.
Thanks @conorsch for the quick fixes! This looks good:
I can confirm that non-text submission case is now resolved, and that all workstation templates are now properly destroyed. All tests in make test are passing.
A note that with these changes, make all took almost 30 minutes in my local testing, which is significantly more than with previous iterations of the provisioning code, and that this doesn't include updates to the templates, which should be implemented per #24.
Yes, it's taking a long time. Shortly I believe we should omit the "clean" step from |
This will ensure we will be able to apply preferences (e.g. qubes-rpc policies) accross all VMs managed in the Qubes Workstation. Added configuration tests for templates VMs that were created as part of #160
This will ensure we will be able to apply preferences (e.g. qubes-rpc policies) accross all VMs managed in the Qubes Workstation. Added configuration tests for templates VMs that were created as part of #160
This will ensure we will be able to apply preferences (e.g. qubes-rpc policies) accross all VMs managed in the Qubes Workstation. Added configuration tests for templates VMs that were created as part of #160
Converts all the AppVMs to reference a custom TemplateVM caused
sd-workstation-template, which is cloned from the systemdebian-9TemplateVM. Summary of changes:<app_vm_name>-template, with a single exception:sd-gpghas no correspondingsd-gpg-template, because its customizations are simply a keyring that lives in $HOME, and therefore would not be inherited from the TemplateVM.sd-workstation-templateas a base TemplateVM for use across the multiple AppVM configurations. Does not include much of the hardening documented in Create securedrop-workstation TemplateVM #156, we can follow up after these changes are merged./usr/local/to/usr/equivalents. Qubes handles/usr/local/directories specially, and allows them to be unique per VM./home/user/paths is now discouraged, since AppVMs don't inherit those from TemplateVMs. Wherever possible, appropriate system paths are now used.Testing
The test plan remains the same as usual:
make allindom0and confirm no errors.make testindom0and confirm no errors.sd-VMs are running Debian 9 (or Whonix 14, which is itself based on Debian 9).geditin a DisposableVM.As usual, 4 is the real clincher here. Without any out-of-band modifications, you should be able to view a plaintext submission. Have not tried other file formats yet; we should write up a test plan to account for those.
Closes #131. Related to #156 and #158.