Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install LibreOffice in sd-svs-disp template #205

Closed
emkll opened this issue Nov 11, 2018 · 2 comments
Closed

Install LibreOffice in sd-svs-disp template #205

emkll opened this issue Nov 11, 2018 · 2 comments
Assignees
@kushaldas
Milestone
Initial beta release

Comments

@emkll
Copy link
Contributor

emkll commented Nov 11, 2018

Due to complexity around Java install and PaX flags: Java runs java as part of the install process, and paxctld does not run and apply to flag before that happens.

We will likely need to install Java twice:

  • Install, PaX mprotect will block the java post install script
  • Add m to java binary
  • Reinstall, now Java (and thus LibreOffice) should work.
@emkll emkll mentioned this issue Nov 11, 2018
Merged
@eloquence eloquence added this to the 0.1.0beta milestone Nov 13, 2018
eloquence added a commit that referenced this issue Nov 14, 2018
@eloquence
Add note about supported/unsupported formats
6ae729f 
Since we're not going to have #205 land for 0.1.0alpha, we should
explicitly call out some good formats to test with.

I've also rephrased the "contact your administrator" language --
we can re-introduce that language as we build the proper end-user
documentation, but for now, pointing to the issue tracker feels
more appropriate.
@eloquence eloquence mentioned this issue Nov 14, 2018
Merged
@kushaldas kushaldas self-assigned this May 29, 2019
kushaldas added a commit that referenced this issue May 29, 2019
@kushaldas
Fixes #205 install libreoffice for sd-svs-disp template
ad290bb
@conorsch
Copy link
Contributor

There's WIP in https://github.com/freedomofpress/securedrop-workstation/compare/svs_disp_libre. A few observations so far:

  1. The paxctld flags for sd-svs-disp are managed in https://github.com/freedomofpress/securedrop-debian-packaging/blob/ca926d5ee8a38713598991145f331def7b478bab/securedrop-workstation-svs-disp/paxctld.conf.svsdisp ; any updates outside the package logic, including Salt, will be clobbered on package upgrades.
  2. We may not need to disable memprotect on the libreoffice binary at all; this issue reports memprotect failures on the java binary, so first confirm that the java paths are properly exempted.
  3. The two-pass approach via bash script doesn't provide strong error handling; using retry logic in Salt may give us greater control over the resolution of apt state.

Based on the initial report, it seems that the java binary doesn't get the proper pax flag from paxctld before being invoked. That could be due to lack of proper path in the paxctld config, or it could simply be a race condition, where paxctld doesn't enforce quickly enough (triggered via inotify). A reasonable solution here is to check that paxctld is running via salt, and set the paxctld service check as a requirement of the libreoffice install.

@kushaldas
Copy link
Contributor

There's WIP in https://github.com/freedomofpress/securedrop-workstation/compare/svs_disp_libre. A few observations so far:

1. The paxctld flags for sd-svs-disp are managed in https://github.com/freedomofpress/securedrop-debian-packaging/blob/ca926d5ee8a38713598991145f331def7b478bab/securedrop-workstation-svs-disp/paxctld.conf.svsdisp ; any updates outside the package logic, including Salt, will be clobbered on package upgrades.

I was looking at the wrong place :( I will update the right place then.

2. We may not need to disable memprotect on the libreoffice binary at all; this issue reports memprotect failures on the java binary, so first confirm that the java paths are properly exempted.

I disabled memprotect on libreoffice otherwise there are those grsec error messages in kern.log file. I thought of not having those will help in future.

3. The two-pass approach via bash script doesn't provide strong error handling; using [retry logic in Salt](https://docs.saltstack.com/en/latest/ref/states/requisites.html#retrying-states) may give us greater control over the resolution of apt state.

I will use this then. 🌈

Based on the initial report, it seems that the java binary doesn't get the proper pax flag from paxctld before being invoked. That could be due to lack of proper path in the paxctld config, or it could simply be a race condition, where paxctld doesn't enforce quickly enough (triggered via inotify). A reasonable solution here is to check that paxctld is running via salt, and set the paxctld service check as a requirement of the libreoffice install.

This is due to race condition where paxctld does not enforce on time for the java deb package installation.

kushaldas added a commit that referenced this issue Jun 3, 2019
@kushaldas
Fixes #205 installs libreoffice in svs disp
6b3d0a3
@kushaldas kushaldas mentioned this issue Jun 4, 2019
Closed
kushaldas added a commit that referenced this issue Jun 5, 2019
@kushaldas
Fixes #205 installs libreoffice in svs disp
9e2e5e3 
Also restarts and enables paxctl service
kushaldas added a commit that referenced this issue Jun 7, 2019
@kushaldas
Merge pull request #263 from freedomofpress/svs_disp_libre
b49c5f2 
Fixes #205 installs libreoffice in svs disp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kushaldas kushaldas

Labels
None yet
Projects
None yet
Milestone
Initial beta release
Development

No branches or pull requests
4 participants
@eloquence @kushaldas @conorsch @emkll