From d1f9cfe28aa4a8f6f0967d55dc18d3be1e9ff93d Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Wed, 24 Oct 2018 14:55:38 -0400 Subject: [PATCH] Expands securedrop-update script Tackling requested changes during review: * supports custom dom0 usernames * omits --templates on pkg upgrade to include dom0 * uses state.highstate to enforce VM config * notify about reboot request (so updates are applied) We'll want to clean up the reboot recommendation once we have more UX feedback. For now, it's enough to notify that updates aren't actually in effect (due to AppVMs not having been restarted). --- dom0/securedrop-update | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/dom0/securedrop-update b/dom0/securedrop-update index f5ecc59b6..00abb7a67 100755 --- a/dom0/securedrop-update +++ b/dom0/securedrop-update @@ -21,26 +21,34 @@ function securedrop-update-feedback() { shift # Running `notify-send` as root doesn't work, must be normal user. - # Setting 30s expire time (in ms) since it's a long-running cmd. - su user -c "notify-send \ + # Setting 60s expire time (in ms) since it's a long-running cmd. + local qubes_user + qubes_user="$(id -nu 1000)" + su "$qubes_user" -c "notify-send \ + --app-name 'SecureDrop Workstation' \ --icon /usr/share/securedrop/icons/sd-logo.png \ - --expire-time 30000 \ - '$msg'" + --expire-time 60000 \ + 'SecureDrop: $msg'" } # `qubesctl pkg.upgrade` will automatically update dom0 packages, as well, # but we *first* want the freshest RPMs from dom0, *then* we'll want to # update the VMs themselves. -securedrop-update-feedback "SecureDrop: Updating dom0 configuration..." -sudo qubes-dom0-update -y -securedrop-update-feedback "SecureDrop: Updating application..." -qubesctl --templates \ +securedrop-update-feedback "Updating application..." +qubesctl \ --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \ pkg.upgrade refresh=true +securedrop-update-feedback "Updating VM configuration..." +qubesctl \ + --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \ + state.highstate + # Here would be a good place for state.highstate, to re-apply the VM configs. # Let's first make sure the package upgrade logic is stable, we can circle # back to enforce the Salt configs regularly. -securedrop-update-feedback "SecureDrop: All updates complete!" +securedrop-update-feedback \ + "Updates installed. Please reboot the workstation \ +to ensure the latest security fixes are applied."