From 4b6e9e336071460394a40d9e0828b0f873e297d6 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 5 Nov 2018 10:31:07 -0800 Subject: [PATCH 1/3] Conditionally installs python-futures in Whonix templates The Whonix 14 templates lack `python-futures`, due to their dependency on an older version of the debian-9-minimal Template, so Salt cannot be used against them out of of the box. We must ensure the package is present in order to use Salt. Since updating apt lists can a while, especially over Tor, let's first check whether the package is present by trying to import it, and skip if so. Otherwise, we'll proceed with the apt list update and install command. The other significant change here is more explicit dependency declaration, so that the python-futures task is guaranteed to finish before any Salt-related tasks are run against the child VMs. --- dom0/sd-journalist-files.sls | 23 ++++++++++++++++++----- dom0/sd-journalist.sls | 9 +++++++-- dom0/sd-whonix.sls | 10 ++++++++-- 3 files changed, 33 insertions(+), 9 deletions(-) diff --git a/dom0/sd-journalist-files.sls b/dom0/sd-journalist-files.sls index 948f8dc6..0b46094e 100644 --- a/dom0/sd-journalist-files.sls +++ b/dom0/sd-journalist-files.sls @@ -9,11 +9,15 @@ # ## -mkfifo /home/user/sdfifo: - cmd.run - -chmod 666 /home/user/sdfifo: - cmd.run +sd-journalist-create-feedback-pipe: + file.mknod: + - name: /home/user/sdfifo + - ntype: p + - user: user + - group: user + - mode: 666 + require: + - cmd: sd-journalist-install-python-futures /home/user/.config/mimeapps.list: file.managed: @@ -22,3 +26,12 @@ chmod 666 /home/user/sdfifo: - group: user - mode: 644 - makedirs: True + require: + - cmd: sd-journalist-install-python-futures + +sd-journalist-install-python-qt4: + pkg.installed: + - pkgs: + - python-qt4 + require: + - cmd: sd-journalist-install-python-futures diff --git a/dom0/sd-journalist.sls b/dom0/sd-journalist.sls index eb8f785a..c648254b 100644 --- a/dom0/sd-journalist.sls +++ b/dom0/sd-journalist.sls @@ -25,6 +25,7 @@ sd-journalist: - pkg: qubes-template-whonix-ws-14 - qvm: sd-whonix - qvm: sd-journalist-template + - cmd: sd-journalist-install-python-futures /etc/qubes-rpc/policy/sd-process.Feedback: file.managed: @@ -38,9 +39,13 @@ sd-journalist: # * python-futures required bootstrap Salt support # * python-qt4 required for sd-process-feedback GUI integration # -install python-qt4 and python-futures: +sd-journalist-install-python-futures: cmd.run: - - name: qvm-run -a whonix-ws-14 'sudo apt-get update && sudo apt-get install -qq python-futures python-qt4' + - name: > + qvm-run -a whonix-ws-14 + "python -c 'import concurrent.futures' || + { sudo apt-get update && sudo apt-get install -qq python-futures ; }" && + qvm-shutdown --wait whonix-ws-14 # When our Qubes bug is fixed, this will *not* be used sd-journalist-dom0-qubes.OpenInVM: diff --git a/dom0/sd-whonix.sls b/dom0/sd-whonix.sls index 07eb1963..9cf0d5f1 100644 --- a/dom0/sd-whonix.sls +++ b/dom0/sd-whonix.sls @@ -14,8 +14,13 @@ include: - qvm.sys-firewall # Temporary workaround to bootstrap Salt support on target. -qvm-run -a whonix-gw-14 "sudo apt-get install -qq python-futures": - cmd.run +sd-whonix-install-python-futures: + cmd.run: + - name: > + qvm-run -a whonix-gw-14 + "python -c 'import concurrent.futures' || + { sudo apt-get update && sudo apt-get install -qq python-futures ; }" && + qvm-shutdown --wait whonix-gw-14 sd-whonix-template: qvm.vm: @@ -41,3 +46,4 @@ sd-whonix: - require: - pkg: qubes-template-whonix-gw-14 - qvm: sys-firewall + - cmd: sd-whonix-install-python-futures From 41c66ba1fcab4109bd37d4258711c12a182ec1e3 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 5 Nov 2018 14:46:42 -0800 Subject: [PATCH 2/3] Fixes Salt dependency declaration for apt repo The proper syntax for Salt dependencies is: require: - : Omitting the Salt package name was causing failures in setting up the apt repo in the securedrop-workstation template. Resolved. --- dom0/fpf-apt-test-repo.sls | 2 +- dom0/sd-dom0-files.sls | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/dom0/fpf-apt-test-repo.sls b/dom0/fpf-apt-test-repo.sls index 128ee9f4..8c500802 100644 --- a/dom0/fpf-apt-test-repo.sls +++ b/dom0/fpf-apt-test-repo.sls @@ -15,4 +15,4 @@ configure apt-test apt repo: - file: /etc/apt/sources.list.d/fpf-apt-test.list - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" require: - - install-python-apt-for-repo-config + - pkg: install-python-apt-for-repo-config diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls index 8f71580e..7bcdad23 100644 --- a/dom0/sd-dom0-files.sls +++ b/dom0/sd-dom0-files.sls @@ -41,8 +41,5 @@ dom0-securedrop-icon: - user: root - group: root - mode: 644 - # Dependency on parent dir should be explicitly declared, - # but the require syntax below was throwing an error that the - # referenced task was "not available". - # require: - # - dom0-securedrop-icons-directory + require: + - file: dom0-securedrop-icons-directory From 5217eccc70166f636a016a3c76a311aeddd90d27 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 5 Nov 2018 19:25:06 -0800 Subject: [PATCH 3/3] Displays detailed output during Salt provisioning The default behavior of `qubesctl` is to mask details of command execution, for brevity. That masking makes debugging quite difficult, so let's display the output by default to developers. --- Makefile | 22 +++++++++++----------- README.md | 2 +- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 24f27989..cc780297 100644 --- a/Makefile +++ b/Makefile @@ -18,36 +18,36 @@ clone: assert-dom0 ## Pulls the latest repo from work VM to dom0 sd-workstation-template: prep-salt ## Provisions base template for SDW AppVMs sudo qubesctl top.enable sd-workstation-template sudo qubesctl top.enable sd-workstation-template-files - sudo qubesctl --targets sd-workstation-template state.highstate + sudo qubesctl --show-output --targets sd-workstation-template state.highstate sd-journalist: prep-salt ## Provisions SD Journalist VM sudo qubesctl top.enable sd-journalist sudo qubesctl top.enable sd-journalist-files - sudo qubesctl --targets sd-journalist-template state.highstate - sudo qubesctl --targets sd-journalist state.highstate + sudo qubesctl --show-output --targets sd-journalist-template state.highstate + sudo qubesctl --show-output --targets sd-journalist state.highstate sd-gpg: prep-salt ## Provisions SD GPG keystore VM sudo qubesctl top.enable sd-gpg sudo qubesctl top.enable sd-gpg-files - sudo qubesctl --targets sd-gpg state.highstate + sudo qubesctl --show-output --targets sd-gpg state.highstate sd-svs: prep-salt ## Provisions SD SVS VM sudo qubesctl top.enable sd-svs sudo qubesctl top.enable sd-svs-files - sudo qubesctl --targets sd-svs-template state.highstate - sudo qubesctl --targets sd-svs state.highstate + sudo qubesctl --show-output --targets sd-svs-template state.highstate + sudo qubesctl --show-output --targets sd-svs state.highstate sd-whonix: prep-salt ## Provisions SD Whonix VM sudo qubesctl top.enable sd-whonix sudo qubesctl top.enable sd-whonix-hidserv-key - sudo qubesctl --targets sd-whonix-template state.highstate - sudo qubesctl --targets sd-whonix state.highstate + sudo qubesctl --show-output --targets sd-whonix-template state.highstate + sudo qubesctl --show-output --targets sd-whonix state.highstate sd-svs-disp: prep-salt ## Provisions SD Submission Viewing VM sudo qubesctl top.enable sd-svs-disp sudo qubesctl top.enable sd-svs-disp-files - sudo qubesctl --targets sd-svs-disp-template state.highstate - sudo qubesctl --targets sd-svs-disp state.highstate + sudo qubesctl --show-output --targets sd-svs-disp-template state.highstate + sudo qubesctl --show-output --targets sd-svs-disp state.highstate clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0 @echo "Purging Salt config..." @@ -130,7 +130,7 @@ prep-whonix: ## enables apparmor on whonix-ws-14 and whonix-gw-14 prep-dom0: prep-salt # Copies dom0 config files for VM updates sudo qubesctl top.enable sd-vm-updates sudo qubesctl top.enable sd-dom0-files - sudo qubesctl --targets dom0 state.highstate + sudo qubesctl --show-output --targets dom0 state.highstate list-vms: ## Prints all Qubes VMs managed by Workstation salt config @./scripts/list-vms diff --git a/README.md b/README.md index 4f4f3c7b..9179e05e 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Once the configuration is done and this directory is copied to `dom0`, you must make all ``` -The build process takes quite a while. You will be presented with a dialogue asking how to connect to Tor: you should be able to select the default option and continue. +The build process takes quite a while. You will be presented with a dialogue asking how to connect to Tor: you should be able to select the default option and continue. You may wish to increase the scrollback in the dom0 terminal from 1000 (the default) to 100000, to ensure you can review any errors in the verbose output. When the installation process completes, a number of new VMs will be available on your machine, all prefixed with `sd-`.