Updates Whonix-based templates 14 -> 15

dom0/sd-dom0-files.sls

@@ -6,6 +6,12 @@
 # over time. These scripts should be ported to an RPM package.
 ##
 
+include:
+  # Import the upstream Qubes-maintained anon-whonix settings.
+  # The anon-whoni config pulls in sys-whonix and sys-firewall,
+  # as well as ensures the latest versions of Whonix are installed.
+  - qvm.anon-whonix
+
 dom0-rpm-test-key:
   file.managed:
     # We write the pubkey to the repos config location, because the repos
@@ -87,79 +93,26 @@ dom0-securedrop-icon:
     - require:
       - file: dom0-securedrop-icons-directory
 
-dom0-enabled-apparmor-on-whonix-gw-14-template:
+dom0-enabled-apparmor-on-whonix-gw-template:
   qvm.vm:
-    - name: whonix-gw-14
+    - name: whonix-gw-15
     - prefs:
       - kernelopts: "nopat apparmor=1 security=apparmor"
+    - require:
+      - sls: qvm.anon-whonix
 
-dom0-enabled-apparmor-on-whonix-ws-14-template:
+dom0-enabled-apparmor-on-whonix-ws-template:
   qvm.vm:
-    - name: whonix-ws-14
+    - name: whonix-ws-15
     - prefs:
       - kernelopts: "nopat apparmor=1 security=apparmor"
+    - require:
+      - sls: qvm.anon-whonix
 
 dom0-create-opt-securedrop-directory:
   file.directory:
     - name: /opt/securedrop
 
-# Temporary workaround to ensure the whonix templateVMs have their whonix repos
-# disabled. While they are no longer supported by Whonix, they should still
-# receive upstream Debian updates). Broken apt list prevents these updates from
-# being applied. sd-whonix uses whonix-14-gw directly, so we must update that
-# template. We must also used the whonix_repository tool, as otherwise the
-# repos may reappear. sudo whonix_repository --enable to bring them back.
-dom0-whonix-gw-disable-apt-list:
-  cmd.run:
-    - name: >
-        test -f /opt/securedrop/whonix-gw-14-ths-repo-disabled ||
-        qvm-run -a whonix-gw-14
-        "sudo whonix_repository --disable" &&
-        qvm-shutdown --wait whonix-gw-14 &&
-        touch /opt/securedrop/whonix-gw-14-ths-repo-disabled
-    - require:
-      - file: dom0-create-opt-securedrop-directory
-
-# We need to disable the whonix apt sources for the python-futures installation
-# for ws as well, for the python-futures package to be properly installed
-dom0-whonix-ws-disable-apt-list:
-  cmd.run:
-    - name: >
-        test -f /opt/securedrop/whonix-ws-14-ths-repo-disabled ||
-        qvm-run -a whonix-ws-14
-        "sudo whonix_repository --disable" &&
-        qvm-shutdown --wait whonix-ws-14 &&
-        touch /opt/securedrop/whonix-ws-14-ths-repo-disabled
-    - require:
-      - file: dom0-create-opt-securedrop-directory
-
-# Temporary workaround to bootstrap Salt support on target.
-dom0-whonix-gw-14-install-python-futures:
-  cmd.run:
-    - name: >
-        test -f /opt/securedrop/whonix-gw-14-python-futures ||
-        qvm-run -a whonix-gw-14
-        "python -c 'import concurrent.futures' ||
-        { sudo apt-get update && sudo apt-get install -qq python-futures ; }" &&
-        qvm-shutdown --wait whonix-gw-14 &&
-        touch /opt/securedrop/whonix-gw-14-python-futures
-    - require:
-      - file: dom0-create-opt-securedrop-directory
-      - cmd: dom0-whonix-gw-disable-apt-list
-
-dom0-whonix-ws-14-install-python-futures:
-  cmd.run:
-    - name: >
-        test -f /opt/securedrop/whonix-ws-14-python-futures ||
-        qvm-run -a whonix-ws-14
-        "python -c 'import concurrent.futures' ||
-        { sudo apt-get update && sudo apt-get install -qq python-futures ; }" &&
-        qvm-shutdown --wait whonix-ws-14 &&
-        touch /opt/securedrop/whonix-ws-14-python-futures
-    - require:
-      - file: dom0-create-opt-securedrop-directory
-      - cmd: dom0-whonix-ws-disable-apt-list
-
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
 
 dom0-login-autostart-directory:

dom0/sd-proxy.sls

@@ -10,32 +10,34 @@
 ##
 
 include:
-  - qvm.template-whonix-ws
   - sd-whonix
+  - sd-upgrade-templates
 
 sd-proxy-template:
   qvm.vm:
-    - name: sd-proxy-template
+    - name: sd-proxy-buster-template
     - clone:
-      - source: whonix-ws-14
+      - source: whonix-ws-15
       - label: blue
     - tags:
       - add:
         - sd-workstation
+        - sd-buster
 
 sd-proxy:
   qvm.vm:
     - name: sd-proxy
     - present:
-      - template: sd-proxy-template
       - label: blue
     - prefs:
+      - template: sd-proxy-buster-template
       - netvm: sd-whonix
       - kernelopts: "nopat apparmor=1 security=apparmor"
       - autostart: true
     - tags:
       - add:
         - sd-workstation
+        - sd-buster
     - require:
       - qvm: sd-whonix
       - qvm: sd-proxy-template

dom0/sd-sys-whonix-vms.sls

@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+include:
+  # Import the upstream Qubes-maintained anon-whonix settings.
+  # The anon-whoni config pulls in sys-whonix and sys-firewall,
+  # as well as ensures the latest versions of Whonix are installed.
+  - qvm.anon-whonix
+
+# The Qubes logic is too polite about enforcing template
+# settings, using "present" rather than "prefs". Below
+# we force the template updates.
+sys-whonix-template-config:
+  qvm.vm:
+    - name: sys-whonix
+    - prefs:
+      - template: whonix-gw-15
+    - require:
+      - sls: qvm.anon-whonix
+
+anon-whonix-template-config:
+  qvm.vm:
+    - name: anon-whonix
+    - prefs:
+      - template: whonix-ws-15
+    - require:
+      - sls: qvm.anon-whonix

dom0/sd-whonix.sls

@@ -10,23 +10,26 @@
 ##
 
 include:
-  - qvm.template-whonix-gw
-  - qvm.sys-firewall
+  # Import the upstream Qubes-maintained anon-whonix settings.
+  # The anon-whoni config pulls in sys-whonix and sys-firewall,
+  # as well as ensures the latest versions of Whonix are installed.
+  - qvm.anon-whonix
 
 sd-whonix:
   qvm.vm:
     - name: sd-whonix
     - present:
-      - template: whonix-gw-14
       - label: purple
       - mem: 500
     - prefs:
+      - template: whonix-gw-15
       - provides-network: true
       - netvm: "sys-firewall"
       - autostart: true
       - kernelopts: "nopat apparmor=1 security=apparmor"
     - tags:
       - add:
         - sd-workstation
+        - sd-buster
     - require:
-      - qvm: sys-firewall
+      - sls: qvm.anon-whonix

dom0/sd-workstation.top

@@ -8,6 +8,7 @@ base:
     - sd-workstation-template
     - sd-upgrade-templates
     - sd-dom0-qvm-rpc
+    - sd-sys-whonix-vms
     - sd-export
     - sd-gpg
     - sd-proxy
@@ -19,7 +20,7 @@ base:
     - sd-export-files
   sd-gpg:
     - sd-gpg-files
-  sd-proxy-template:
+  sd-proxy-buster-template:
     - sd-proxy-template-files
   sd-svs:
     - sd-svs-config

dom0/securedrop-handle-upgrade

@@ -47,6 +47,33 @@ if [[ $TASK == "prepare" ]]; then
 		fi
 	fi
 
+    # For Whonix VMs, shut them down, so we can upate the TemplateVM settings.
+    # We shut down sd-proxy before sd-whonix, since its netvm is sd-whonix, which won't
+    # shutdown if a client is connected.
+	if qvm-check --quiet sd-proxy; then
+		BASE_TEMPLATE=$(qvm-prefs sd-proxy template)
+		if [[ ! $BASE_TEMPLATE =~ "buster" ]]; then
+			qvm-shutdown --wait sd-proxy
+		fi
+	fi
+
+	if qvm-check --quiet sd-whonix; then
+		BASE_TEMPLATE=$(qvm-prefs sd-whonix template)
+		if [[ ! $BASE_TEMPLATE =~ "15" ]]; then
+			qvm-shutdown --wait sd-whonix
+		fi
+	fi
+
+    # Kill sys-whonix, to make sure connected clients don't prevent shutdown.
+	if qvm-check --quiet sys-whonix; then
+		BASE_TEMPLATE=$(qvm-prefs sys-whonix template)
+		if [[ ! $BASE_TEMPLATE =~ "15" ]]; then
+            if qvm-check --quiet --running sys-whonix; then
+			    qvm-kill sys-whonix
+            fi
+		fi
+	fi
+
 	# Finally for sd-gpg, we simply shutdown the machine
 	if qvm-check --quiet sd-gpg; then
 		BASE_TEMPLATE=$(qvm-prefs sd-gpg template)
@@ -57,7 +84,7 @@ if [[ $TASK == "prepare" ]]; then
 elif [[ $TASK == "remove" ]]; then
 	# For each template, ensure the TemplateVM exists, that it is shut down
 	# before deleting it.
-	for template in sd-svs-template sd-svs-disp-template sd-export-template
+	for template in sd-svs-template sd-svs-disp-template sd-export-template sd-proxy-template
 	do
 		if qvm-check "${template}" --quiet; then
 			if qvm-check --running "${template}"; then

tests/test_dom0_config.py

@@ -1,9 +1,12 @@
 import subprocess
 import unittest
 
-STRETCH_TEMPLATES = ["sd-svs-template",
-                     "sd-svs-disp-template",
-                     "sd-export-template"]
+STRETCH_TEMPLATES = [
+    "sd-svs-template",
+    "sd-svs-disp-template",
+    "sd-export-template",
+    "sd-proxy-template",
+]
 
 
 class SD_Qubes_Dom0_Templates_Tests(unittest.TestCase):

tests/test_proxy_vm.py

@@ -32,8 +32,13 @@ def test_sd_proxy_yaml_config(self):
         for line in wanted_lines:
             self.assertFileHasLine("/etc/sd-proxy.yaml", line)
 
-    def test_whonix_ws_14_repo_disabled(self):
-        assert self._fileExists(self.whonix_apt_list) is False
+    def test_whonix_ws_repo_enabled(self):
+        """
+        During Whonix 14 -> 15 migration, we removed the apt list file
+        (because the repo wasn't serving, due to EOL status). Let's
+        make sure it's there, since we're past 14 now.
+        """
+        assert self._fileExists(self.whonix_apt_list)
 
 
 def load_tests(loader, tests, pattern):

tests/test_qubes_vms.py

@@ -0,0 +1,53 @@
+import unittest
+
+from qubesadmin import Qubes
+
+
+CURRENT_FEDORA_VERSION = "30"
+CURRENT_WHONIX_VERSION = "15"
+
+
+class SD_Qubes_VM_Tests(unittest.TestCase):
+    """
+    Ensures that the upstream, Qubes-maintained VMs are
+    sufficiently up to date.
+    """
+
+    def setUp(self):
+        self.app = Qubes()
+
+    def tearDown(self):
+        pass
+
+    def test_current_fedora_for_sys_vms(self):
+        """
+        Checks that all sys-* VMs are configured to use
+        an up-to-date version of Fedora.
+        """
+        sys_vms = [
+            "sys-firewall",
+            "sys-net",
+            "sys-usb",
+        ]
+        for sys_vm in sys_vms:
+            vm = self.app.domains[sys_vm]
+            self.assertTrue(vm.template.name == "fedora-" + CURRENT_FEDORA_VERSION)
+
+    def test_current_whonix_vms(self):
+        """
+        Checks that the Qubes-maintained Whonix tooling
+        has been updated to the most recent version.
+        """
+        whonix_vms = [
+            "sys-whonix",
+            "anon-whonix",
+        ]
+        for whonix_vm in whonix_vms:
+            vm = self.app.domains[whonix_vm]
+            self.assertTrue(vm.template.name.startswith("whonix-"))
+            self.assertTrue(vm.template.name.endswith("-" + CURRENT_WHONIX_VERSION))
+
+
+def load_tests(loader, tests, pattern):
+    suite = unittest.TestLoader().loadTestsFromTestCase(SD_Qubes_VM_Tests)
+    return suite

tests/test_sd_whonix.py

@@ -20,8 +20,13 @@ def test_accept_sd_xfer_extracted_file(self):
 
             self.assertFileHasLine("/usr/local/etc/torrc.d/50_user.conf", line)
 
-    def test_sd_whonix_repo_disabled(self):
-        assert self._fileExists(self.whonix_apt_list) is False
+    def test_sd_whonix_repo_enabled(self):
+        """
+        During Whonix 14 -> 15 migration, we removed the apt list file
+        (because the repo wasn't serving, due to EOL status). Let's
+        make sure it's there, since we're past 14 now.
+        """
+        assert self._fileExists(self.whonix_apt_list)
 
 
 def load_tests(loader, tests, pattern):

tests/test_vms_exist.py

@@ -49,7 +49,7 @@ def test_sd_whonix_config(self):
         self.assertTrue(nvm.name == "sys-firewall")
         wanted_kernelopts = "nopat apparmor=1 security=apparmor"
         self.assertEqual(vm.kernelopts, wanted_kernelopts)
-        self.assertTrue(vm.template == "whonix-gw-14")
+        self.assertTrue(vm.template == "whonix-gw-15")
         self.assertTrue(vm.provides_network)
         self.assertTrue(vm.autostart is True)
         self.assertFalse(vm.template_for_dispvms)
@@ -61,7 +61,7 @@ def test_sd_proxy_config(self):
         self.assertTrue(nvm.name == "sd-whonix")
         wanted_kernelopts = "nopat apparmor=1 security=apparmor"
         self.assertEqual(vm.kernelopts, wanted_kernelopts)
-        self.assertTrue(vm.template == "sd-proxy-template")
+        self.assertTrue(vm.template == "sd-proxy-buster-template")
         self.assertTrue(vm.autostart is True)
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
@@ -113,7 +113,7 @@ def test_sd_workstation_template(self):
         self._check_service_running(vm, "paxctld")
 
     def test_sd_proxy_template(self):
-        vm = self.app.domains["sd-proxy-template"]
+        vm = self.app.domains["sd-proxy-buster-template"]
         nvm = vm.netvm
         self.assertTrue(nvm is None)
         self.assertTrue('sd-workstation' in vm.tags)