Automatically update dom0 and VM configs over time #172
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| # -*- coding: utf-8 -*- | ||
| # vim: set syntax=yaml ts=2 sw=2 sts=2 et : | ||
|
|
||
| ## | ||
| # Installs dom0 config scripts specific to tracking updates | ||
| # over time. These scripts should be ported to an RPM package. | ||
| ## | ||
|
|
||
|
|
||
| # Copy script to system location so admins can run ad-hoc | ||
| dom0-update-securedrop-script: | ||
| file.managed: | ||
| - name: /usr/bin/securedrop-update | ||
| - source: salt://securedrop-update | ||
| - user: root | ||
| - group: root | ||
| - mode: 755 | ||
|
|
||
| # Symlink update script into cron, for single point of update | ||
| dom0-update-securedrop-script-cron: | ||
| file.symlink: | ||
| - name: /etc/cron.daily/securedrop-update-cron | ||
| - target: /usr/bin/securedrop-update | ||
|
|
||
| # Create directory for storing SecureDrop-specific icons | ||
| dom0-securedrop-icons-directory: | ||
| file.directory: | ||
| - name: /usr/share/securedrop/icons | ||
| - user: root | ||
| - group: root | ||
| - mode: 755 | ||
| - makedirs: True | ||
|
|
||
| # Copy SecureDrop icon for use in GUI feedback. It's also present in | ||
| # the Salt directory, but the permissions on that dir don't permit | ||
| # normal user reads. | ||
| dom0-securedrop-icon: | ||
| file.managed: | ||
| - name: /usr/share/securedrop/icons/sd-logo.png | ||
| - source: salt://sd/sd-journalist/logo-small.png | ||
| - user: root | ||
| - group: root | ||
| - mode: 644 | ||
| # Dependency on parent dir should be explicitly declared, | ||
| # but the require syntax below was throwing an error that the | ||
| # referenced task was "not available". | ||
| # require: | ||
| # - dom0-securedrop-icons-directory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # -*- coding: utf-8 -*- | ||
| # vim: set syntax=yaml ts=2 sw=2 sts=2 et : | ||
|
|
||
| base: | ||
| dom0: | ||
| - sd-dom0-files |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| # -*- coding: utf-8 -*- | ||
| # vim: set syntax=yaml ts=2 sw=2 sts=2 et : | ||
|
|
||
| # "Placeholder" config to trigger TemplateVM boots, | ||
| # so upgrades can be applied automatically via cron. | ||
| base: | ||
| qubes:type:template: | ||
| - match: pillar | ||
| - topd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| #!/bin/bash | ||
| # Utility for dom- to ensure all updates are regularly installed | ||
| set -e | ||
| set -u | ||
|
|
||
| # Number of VMs to update in parallel. Default is 4, | ||
| # which can be memory-intensive. | ||
| SECUREDROP_MAX_CONCURRENCY=2 | ||
|
|
||
|
|
||
| # Ensure elevated privileges | ||
| if [[ "$EUID" -ne 0 ]]; then | ||
| echo "Script must be run as root! Exiting..." | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Display GUI feedback about update process | ||
| function securedrop-update-feedback() { | ||
| # Unpack msg as arg1 | ||
| local msg="$1" | ||
| shift | ||
|
|
||
| # Running `notify-send` as root doesn't work, must be normal user. | ||
| # Setting 30s expire time (in ms) since it's a long-running cmd. | ||
| su user -c "notify-send \ | ||
| --icon /usr/share/securedrop/icons/sd-logo.png \ | ||
| --expire-time 30000 \ | ||
| '$msg'" | ||
| } | ||
|
|
||
| # `qubesctl pkg.upgrade` will automatically update dom0 packages, as well, | ||
| # but we *first* want the freshest RPMs from dom0, *then* we'll want to | ||
| # update the VMs themselves. | ||
| securedrop-update-feedback "SecureDrop: Updating dom0 configuration..." | ||
|
There was a problem hiding this comment. Minor nit: "SecureDrop:" is added in |
||
| sudo qubes-dom0-update -y | ||
|
There was a problem hiding this comment. adding the I just had an issue where qubes-dom0-update was complaining of an unsigned package, due to me attempting to download an older whonix template in an effort to reproduce #122 (comment) There was a problem hiding this comment. Agreed, probably worth adding here, lest we forget to circle back—feel free to append, @emkll. |
||
|
|
||
| securedrop-update-feedback "SecureDrop: Updating application..." | ||
| qubesctl --templates \ | ||
| --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \ | ||
| pkg.upgrade refresh=true | ||
|
|
||
emkll marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| # Here would be a good place for state.highstate, to re-apply the VM configs. | ||
| # Let's first make sure the package upgrade logic is stable, we can circle | ||
| # back to enforce the Salt configs regularly. | ||
|
|
||
| securedrop-update-feedback "SecureDrop: All updates complete!" | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps due to the configuration of my Qubes machine, my user in dom0 is not
userThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ouch, that's a good flag. We still need to drop privileges in here; or we could dig more in the
notify-sendsettings. Off the cuff, inspecting/home/for a single dirname should give us whatever the name of the (single) custom user is. Make sense?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can safely assume that the normal user configured at install time has uid 1000; so:
Then we
suto that user to run thenotify-sendcommands.